In my experience, first-party JavaScript is more likely to be updated so rarely that bugs and exploits are more likely than supply chain attacks. If I heard about NPM getting attacked as often as I hear about CDNs getting attacked, I’d be more concerned.
If the planes had entered sovereign airspace, sure. They synopsis says the Russians were flying in international airspace, which usually means it’s not under the sovereign control of any nation and the Latvians would have had no basis to fire on the Russians.
Personally, I’d love to see the Russians try to stunt their way into someone’s airspace and get dick slapped for it, but I doubt that would happen.