You load a library from a CDN. If that CDN is hacked (or your account is), the file you ship to every user silently changes. SRI pins a cryptographic hash in your tag; the browser hashes the bytes it downloads and refuses to run the file if it doesn't match. The hashes below are real SHA-384. live crypto