Docs about SRI: https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity

The jsDelivr CDN API used to download packages seem to support SRI (jsdelivr/api#137) so we could use that to only generate hashes for application assets.

Also, this should be an option because if you use CDN/servers that mangle the assets (e.g. to minify or compress the source code) the hashes won't be valid.