What is Subresource Integrity (SRI) and which attack does it prevent?

SRI pins a cryptographic hash of a third-party script/stylesheet via the integrity attribute (e.g. <script src="https://cdn/x.js" integrity="sha384-…" crossorigin="anonymous">). The browser refuses to run the resource if its hash doesn't match — mitigating a compromised CDN or MITM that swaps the file (a supply-chain risk). Limitations: you must update the hash whenever the legitimate file changes, and it requires CORS for cross-origin resources; it doesn't protect dynamically-built or self-hosted scripts.