Serving JS files from /vendor is insecure

[thisismydesign]

I think nothing is stopping me from creating a commit in a project that says 'Update react' and making arbitrary changes to vendor/javascript/react.js. The change is impossible to review and AFAICT nothing is checking the integrity of this file. At least I could modify the file in my project and the modified file was simply served.

Related: #122 and #199

[dhh]

Guarding your code base against developers who have access to it is not a threat model we're interested in pursuing.