[ci skip]

Update Nokogiri to fix CVE-2020-7595

Closes #73

See merge request gitlab-org/security/gitlab!271

vulnerability_feedback records should be restricted to a dev role

See merge request gitlab-org/security/gitlab!308

/vulnerability_feedback leaks metadata and comments on vulnerabilities
when the project is public
All of the data in  vulnerability_feedback records should be restricted
to a dev role and above

Repository archive endpoint hotlinking prevention

See merge request gitlab-org/security/gitlab!309

Validate NPM package versions to be SemVer compliant

Closes #96

See merge request gitlab-org/security/gitlab!359

Adds some header detection to help prevent DDOS attempts on the
repository archive endpoint. Introduced as a concern so it can
be utilised elsewhere if needed.

Now uses built-in Rails header parser and doesn't block
legimate Sec-Fetch-Mode headers.

Adds support for hotlinking interception on the API as well, refactors
most of the system out into a new class to cover both Rails and Grape.

Authorize create snippet through API request

Closes #59

See merge request gitlab-org/security/gitlab!206

Reject blocked users in Gitlab::Auth.find_for_git_client

Closes #65

See merge request gitlab-org/security/gitlab!233

Fix XSS vulnerability in admin email "Recipient Group" dropdown

See merge request gitlab-org/security/gitlab!268

Dropdown is found at `admin/email`. Passes dropdown options through
`sanitizeItem`.  To prevent errors `sanitizeItem` is updated to check
if `name` and `namespace` keys exist before sanitizing.

Prevent updating trigger by other maintainers

See merge request gitlab-org/security/gitlab!269

Restrict mirroring changes to admins only when mirroring is disabled

See merge request gitlab-org/security/gitlab!275

Prevent malicious entry for group name

See merge request gitlab-org/security/gitlab!281

Redact notes in moved confidential issues

See merge request gitlab-org/security/gitlab!294

Deny localhost requests on fogbugz importer

See merge request gitlab-org/security/gitlab!295

Ignore empty remote_id params from Workhorse

See merge request gitlab-org/security/gitlab!314

In https://gitlab.com/gitlab-org/security/gitlab-workhorse/-/merge_requests/3
we're changing Workhorse to always send empty values for unused fields,
to avoid any injected client parameters overriding them.

This causes an error in Rails because we're not checking for empty
strings in `remote_id` and attempting to store a remote file:

```
ObjectStorage::RemoteStoreError - Bad file path:
  app/uploaders/object_storage.rb:353:in `cache_remote_file!'
```

Restrict access to project pipeline metrics reports

See merge request gitlab-org/security/gitlab!323

Add permission check for pipeline status of MR

See merge request gitlab-org/security/gitlab!336

Exclude carrierwave remote url methods from import

Closes #97

See merge request gitlab-org/security/gitlab!364

UploadRewriter Path Traversal Security Fix

See merge request gitlab-org/security/gitlab!365

Improve discord messages

See merge request gitlab-org/gitlab!27812

Ensure VSM stage has relative position

See merge request gitlab-org/gitlab!27801

Fix broadcast message rendering

See merge request gitlab-org/gitlab!27755

Revert has_parent? optimization

Closes #36938

See merge request gitlab-org/gitlab!27668

Separate code review, design, group module into own module files

See merge request gitlab-org/gitlab!27860

Attribute background migrations to database category

See merge request gitlab-org/gitlab!27777

Remove state column ignore rule

See merge request gitlab-org/gitlab!27690

Migrate security-dashboard vulnerability mutations specs to Jest

See merge request gitlab-org/gitlab!27286

#30526 (B) [BE] Wiki Events (services)

See merge request gitlab-org/gitlab!26533

Cache ES enabled namespaces and projects

See merge request gitlab-org/gitlab!27348

SELECT query involving `elasticsearch_indexed_projects` table
consumes a lot of resources. The query itself is not slow
(13.224 ms/call), but it happens almost 100 times per second.

This change implements caching of `elasticsearch_indexed_projects` and
`elasticsearch_indexed_namespaces`.

De-duplicate groups_controller spec

See merge request gitlab-org/gitlab!27874

Expose created_at property in Groups API

See merge request gitlab-org/gitlab!27824

Prevent creation of .env file

See merge request gitlab-org/gitlab!21174

Use `license_scanning` licensed feature in tests

See merge request gitlab-org/gitlab!27752

All code related to `license_management` is scheduled
to be deprecated after 13.0 https://gitlab.com/gitlab-org/gitlab/-/issues/8912