Cloudflare pays for this. They've been sponsoring cdnjs for around a year now.
As for the security of our system, all javascript files are verified against official sources before going on the cdn. Additionally, we have many library maintainers submitting updates to their own libraries.
Beyond that the only question remaining is our personal integrity. Like any relationship with a third party, you're going to have to decide whether trusting us is an acceptable level of risk. If past performance is any indication of integrity, we have had no security incidents since we began in January 2011.
I assume you are the creator of cdnjs - what are your relation with cloudflare beyond just the sponsorship? Are you working for them? Do you advise them?
I'm wondering what is the performance increase delivered by cloudflare. I've heard many mixed opinions and I'm at the interesection where I have to decide whether I'm using them or others.
btw - kudos to Cloudflare for sponsoring this - seems like a great way to put yourself in front of developers.
If I'm guessing what the names of your Pingdom checks mean correctly, they seem to show CloudFlare making your response time 10ms slower. I'm assuming that cdnjs.cloudflare.com is the site with CF in front, and cdnjs.com is without, not sure if that's correct.
Looking at the headers both are being served by CloudFlare. And cdnjs.cloudflare.com is being redirected to cdnjs.com. So, I suspect that that's where the extra time comes from.
You know, I'm just cynical enough to believe that security problems have little or no bearing on stock price. However, reputation is a kind of stock too, so from that perspective I agree, public CDNs like these have little to gain and lots to loose by tampering with these libraries to inject, say, a behind-page pop-up with ads.
As for the security of our system, all javascript files are verified against official sources before going on the cdn. Additionally, we have many library maintainers submitting updates to their own libraries.
Beyond that the only question remaining is our personal integrity. Like any relationship with a third party, you're going to have to decide whether trusting us is an acceptable level of risk. If past performance is any indication of integrity, we have had no security incidents since we began in January 2011.