First I think we're drifting away from the original ticket topic. Shall I open a new ticket or is it possible to kind of move this discussion to another ticket?

Thank you for your reply.

1. How are you managing autoloading classes for external libraries? (source code refference please)
2. Why aren't you sharing the improvements made via PR's in the repos? (Or are you?)
3. Installing / updating Phabricator using Composer would be as simple as composer install or composer upadte as long as the required version in the composer.json would be @dev etc.

IMHO 3rd party libraries aren't that bad (at least the "big ones"). E.g. if you look at Parsedown being nearly 1.4k times faved and a huge active bugtracker I don't see how it would be better to implement such functionality by yourself. Of course you shouldn't just use whatever library there is available but there are some high quality ones out there.

I don't know what the policy of the phabricator devs is, but i would leverate existing libraries for that kind of functionalities. They should have cared enough about those questions.
Since i just recently found phabricator I'm not that much into source yet. I know it's a bit offtopic and it has been discussed on other places, but when you would use Composer for dependency management, it would make a lot of things much easier. ( D5819 )
As a library i would recommend Parsedown.

Question might be dumb but what kind of security issues are you talking about? I just can't come up with any.