This is a solved problem.

Use HTTPS and use the integrity attribute.

https://developer.mozilla.org/en-US/docs/Web/HTML/Reference/...

Also, what's more likely? Someone hacking jsDelivr/cdnjs OR some random NPM packages getting hacked?

Can be mitigated, as the sibling comment points out, but even in the situation you described, the blast radius is reduced, especially for frontend libs.

As long as you embed it with an SRI integrity hash, you're safe, even if the remote server is compromised.