While i agree that is better than nothing, i've always had my doubts about this approach.
Do people really audit such code? I doubt it. Does the code really not insert any additional code that allows bypassing the whole scheme (esp. If the point is to dynamically insert content).
I also think most of the time, the biggest threat is not the vendor being intentionally evil but the vendor making a mistake that leads to XSS which someone else exploits. After all, if the vendor is intentionally being malicious they can probably sneakily bypass this sort of thing.
Supply chain risk gets all the headlines, but personally i think its a bit overhyped.
That said, things like SRI don't really fully fix the supply chain issue. Supply chain issues usually mean the developer intentionally upgrades to a new version, that unbeknownst to them is malicious. It is usually not about a resource getting replaced with nobody realizing it, everyone realizes the upgrade is happening. In such a situation it is likely SRI hashes would get upgraded too.
Solutions like hashes or digital signatures are useless if the person being tricked is the one responsible for signing things.
Do people really audit such code? I doubt it. Does the code really not insert any additional code that allows bypassing the whole scheme (esp. If the point is to dynamically insert content).
I also think most of the time, the biggest threat is not the vendor being intentionally evil but the vendor making a mistake that leads to XSS which someone else exploits. After all, if the vendor is intentionally being malicious they can probably sneakily bypass this sort of thing.