So, an update: upon replying to their email, they responded (the next day) to tell us that they were concerned about the jQuery library we included in our package.
The unminified, unobfuscated jQuery library. The entirely human-readable jQuery library. The same jQuery library, I’ll note, that they approved last time (and on several versions before that) without any concerns.
You’d think they’d host versions of jQuery and other popular JS libraries themselves so that developers could just reference those, rather than having to deal with this rigamarole, but shrug