@Ironholds: My comment appears to have been truncated. I'm not sure if it was censored because I said something that I shouldn't have said (I didn't think so), or if it was a phab glitch, or if it was user error.
There was a small meeting, in which we were reminded of the policy that any third-party code being brought in should be reviewed by our securiity team.
Gotcha. And, was that because something had happened...? I wasn't in that 'small meeting' and I'm left trying to glean if this means that we need to integrate wider code and that'll slow down the EL implementation, or what.
The meeting was about T117512: Give security a heads-up about plans and scripts to deploy wikipedia.org portal from gerrit, and was attended by Chris, Max, Erik, and me.
After getting through the main topic, we mentioned we would be adding JS event logging and A/B testing capabilities to the portal, at which point he reminded us of this policy. I felt it was valuable to pass it along, especially to our newer developers. I don't think we know yet whether this will impact our schedule.
@Ironholds, @ksmith Third-party code shouldn't impact the event logging implementation schedule, as we're only using a handful of third-party snippets for polyfilling older browsers. We're not using (and were given instructions not to use) any third-party libraries (no jQuery, not even mw.js) which brings it's own challenges, but none relating to security concerns.