Supply chain risk gets all the headlines, but personally i think its a bit overhyped.
That said, things like SRI don't really fully fix the supply chain issue. Supply chain issues usually mean the developer intentionally upgrades to a new version, that unbeknownst to them is malicious. It is usually not about a resource getting replaced with nobody realizing it, everyone realizes the upgrade is happening. In such a situation it is likely SRI hashes would get upgraded too.
Solutions like hashes or digital signatures are useless if the person being tricked is the one responsible for signing things.
That said, things like SRI don't really fully fix the supply chain issue. Supply chain issues usually mean the developer intentionally upgrades to a new version, that unbeknownst to them is malicious. It is usually not about a resource getting replaced with nobody realizing it, everyone realizes the upgrade is happening. In such a situation it is likely SRI hashes would get upgraded too.
Solutions like hashes or digital signatures are useless if the person being tricked is the one responsible for signing things.