That's not hash collision, that's hash preimage attack.
If you can perform hash preimage attack, then faking a JS library is aiming really low.
• You could forge any SSL certificate.
• You could forge any PGP/GPG message (public key crypto is not applied to whole messages, only hashes of them, same with certs).
• You could maliciously modify Git repositories, even those with GPG signed releases like the Linux kernel.
• You could inject malware into any package repository, MITM software updates for all OSes, etc.
Basically security of the entire Internet and all secure software distribution depends on the fact that preimage attack against crypto hashes is impossible (i.e. time and/or energy required to perform a brute-force attack is literally astronomical).
A slightly more sensible approach may be to allow script tags (or any external linking mechanism) to list multiple (trusted) sources, and fallback appropriately.
That certainly feels more inline with how the internet in general was designed.
The domains are obviously trusted to a degree. The objective of the hash is just to allow a content addressed[0] clientside web cache, and avoid talking to them most of the time. Good for privacy, security and load times.
If you can perform hash preimage attack, then faking a JS library is aiming really low.
• You could forge any SSL certificate.
• You could forge any PGP/GPG message (public key crypto is not applied to whole messages, only hashes of them, same with certs).
• You could maliciously modify Git repositories, even those with GPG signed releases like the Linux kernel.
• You could inject malware into any package repository, MITM software updates for all OSes, etc.
Basically security of the entire Internet and all secure software distribution depends on the fact that preimage attack against crypto hashes is impossible (i.e. time and/or energy required to perform a brute-force attack is literally astronomical).