> There is no way that I would host a solution that includes third-party scripts.
How is this different from allowing corporate users to access web apps that have google analytics running? We've seen some enterprises block GA, but they are in the minority.
The difference is the third party script has complete control over the page it’s on. So if the page is your gitlab instance, the third party has complete control over your repositories and probably your complete infrastructure. Just introduce some malware to the build scripts and you’re in.
As the parent comment describes: You're using Gitlab as a web interface to change code on your servers. Javascript running on the page of that web interface can do almost anything you can do with that page, by producing the same events.
(actually, browsers have a bunch of tools to restrict that, so it's not 100 % if engineered properly. But if it's just "include some scripts"...)
How is this different from allowing corporate users to access web apps that have google analytics running? We've seen some enterprises block GA, but they are in the minority.