I noticed piwik was being served on the foundation website, from its own domain, at https://piwik.wikimedia.org/piwik.js
Looking at the HTTP headers of this request, it doesn't have caching set up properly.
It's not cached on the server-side, meaning that Varnish doesn't serve it:
x-cache: cp1083 pass, cp3032 pass, cp3040 pass x-cache-status: pass
This is problematic in case of high traffic spikes, since this is served to every client on this site (and I'm guessing on other sites as well).
And even more importantly, this HTTP request doesn't serve any caching header, meaning that the browser won't ever cache it, downloading it for every page load. A cache-control header would be highly desirable here. Since the URL is unversioned, of course this means that updates of the JS reaching clients that already have a previous version cached would be delayed by that duration. But at the very least the browser should cache this for minutes or hours, so that users can benefit from piwiki being cached for the duration of their browsing session.