[oarsinsync]

If gh-card.dev ever changes, you might find javascript being injected via the SVG instead of it just being an image. That's what the GP is alluding to, and recommending you host the gh-card code yourself rather than using their hosted instance.

[TazeTSchnitzel]

SVGs used as the src= of an <img> tag can't run scripts.

[btown]

Yep: https://www.w3.org/wiki/SVG_Security

[jbverschoor]

What about all the npm modules?

[floatingatoll]

It’s turtles all the way down. The point here is that people don’t consider third-party content inclusion to be more of a risk than “completely harmless”, which is generally false: the risk may or may not be slight, but it’s never non-zero.

[oarsinsync]

And to follow up specifically to the npm modules, if you're self hosted, you can (but probably wont) audit the contents of what's been deployed when you deploy. You can then also keep that snapshot frozen in time, so you wont necessarily be impacted by any changes to those modules in future.

If you're using the hosted version, you have no idea whether or not the modules are being updated, which versions are in use, etc.

Having control of your environment gives you the opportunity to be more (or even less) secure. It's important to fully understand the risk / potential harm that outsourcing that responsibility to random persons can have.