For the cloudflare-served js you should ping them and let them know. I expect it’s a bug or configuration problem on their side that the expires headers are not being sent (they appear to have a version in the URL).
For the QR code, I’d recommend just downloading the image and hosting it yourself instead of using the outside service to render it every time. That way you have more control over it and it doesn’t appear to be something that will change.