The way releases are done and security is handled, one can argue that it makes sense to stay one major version behind - as long as it is a version to which security patches are applied regularly.
My god I read up a little on the vulnerability and it might have been written as a feature to recover your account with any email address?? The module was called RecoverableByAnyEmail or something.
> The upshot of all this is that admins who enabled some form of two-factor authentication (2FA) in GitLab are safe and unaffected by the vulnerability. And of course you enabled 2FA, didn't you?
...which begs the question: What US federal agencies aren't deploying their GitLab instances behind CAC auth at a minimum?