This was done because previously, the worker used importscript to load deps from a CDN, which was vulnerable to attacks like XSS because it does not support SRI. The web worker also cannot access deps from the global head.