There are JavaScript files in the GitHub repository, so I'm going to assume they mean third-party dependencies, but some more clarification would be nice.
Confirmed. The intent is anyone can audit our whole codebase in one GitHub repo for vulnerabilities and not scripts spread across many CDNS and projects which may change over time.