Re: Cant win...
Use a local proxy to cache all your remotely collected scripts. Have that proxy run a comparison check against the last known good version for all external scripts.
If the code changes, don't update the cache until it has been signed off as safe, at that point you can update your 'known good' version and carry on serving it to your clients.
Ok, so if there's a problem with a valid script and it needs to be updated then that fix might be delayed until you can sign off the update, but that's a lot better than taking the chance of feeding your customers compromised scripts.
This avoids the need to micro-manage all the scripts internally, but injects a safeguard against compromised remote script updates such as the one in this story.
Or does that sound too hard?