Unpinned “latest” Insecure

Why it’s bad: builds become non-deterministic; a compromised publish can inject code and the browser will run it. You can’t prove what was actually served.

1. This page attempts to load lodash@latest from a CDN.
2. If it loads, we show the detected version. If not, you’ll see a failure message.
3. Compare with the secure page that pins an exact version (and can add SRI).