It seems a generally good idea to proliferate the usage of foreign-resources.yaml across repos that use 3rd party JS libraries.
MW core has this, and some extensions too, but many don't...
Having foreign-resources.yaml files, and them being kept up to date (enforced by CI, where possible - T330508: Expand running of ForeignResourceStructureTest against skins and extensions that have foreign-resources.yaml files) makes review and audit easier
See also: https://www.mediawiki.org/wiki/ResourceLoader/Foreign_resources