The fact that...
... the majority of web "developers" are quite happy to link to API code from an external site that they've probably never even looked at much less verified to run their javascript pretty much says it all about how my they know or care about security. Could you imagine a C++ or java dev #includ'ing some random code or linking with a binary lib or jar file from offsite on each compile? Exactly.
The whole javascript software model is fundamentally broken. Any dev worth his salary would download the code and at least give it a once over first then stick it on his own website to be accessed locally when the page loads which not only makes it faster but also prevents this sort of code injection being an issue.
Biting the hand that feeds IT
