NOTE: Blocked on T330508
Currently the Graph extension has dependencies on the d3 and Vega libraries. These are currently static files inside the code repository meaning anyone can edit them or swap them out with untrusted / unaudited files.
# TODO
[X] These libraries should be managed by a foreign-resources.yaml file. It should be possible to run a script and verify the files match the published versions.
[X] The Growth team has a more modern custom d3.js build that has gone through a security review. We should use that if possible.
[] The latest version of Vega requires ES7 syntax, so we'll need to be able to transpile this reliably to ES6 given our browser support. We currently workaround this by disabling minimization but should avoid this on the long run. unfinished. Upstream bug is https://github.com/vega/vega/issues/3723