Refresh patches

debian/patches/0050-relax-stable-libs.patch

@@ -49,9 +49,9 @@ gitlab Gemfile
 +gem 'rack-oauth2', '~> 1.9', '>= 1.9.3'
 +gem 'jwt', '~> 2.1'
  
- # Spam and anti-bot protection
+ # Kerberos authentication. EE-only
- gem 'recaptcha', '~> 4.11', require: 'recaptcha/rails'
+ gem 'gssapi', group: :kerberos
-@@ -54,38 +54,38 @@
+@@ -57,41 +57,41 @@
  gem 'invisible_captcha', '~> 0.12.1'
  
  # Two-factor authentication
@@ -93,16 +93,19 @@ gitlab Gemfile
 +gem 'rack-cors', '~> 1.0', require: 'rack/cors'
  
  # GraphQL API
--gem 'graphql', '~> 1.8.0'
+-gem 'graphql', '~> 1.9.11'
++gem 'graphql', '~> 1.9', '>= 1.9.11'
+ # NOTE: graphiql-rails v1.5+ doesn't work: https://gitlab.com/gitlab-org/gitlab-ce/issues/67293
+ # TODO: remove app/views/graphiql/rails/editors/show.html.erb when https://github.com/rmosolgo/graphiql-rails/pull/71 is released:
+ # https://gitlab.com/gitlab-org/gitlab-ce/issues/67263
 -gem 'graphiql-rails', '~> 1.4.10'
 -gem 'apollo_upload_server', '~> 2.0.0.beta3'
-+gem 'graphql', '~> 1.8'
 +gem 'graphiql-rails', '~> 1.4', '>= 1.4.10'
 +gem 'apollo_upload_server', '>= 2.0.0.beta3'
  gem 'graphql-docs', '~> 1.6.0', group: [:development, :test]
  
  # Disable strong_params so that Mash does not respond to :permitted?
-@@ -95,7 +95,7 @@
+@@ -101,7 +101,7 @@
  gem 'kaminari', '~> 1.0'
  
  # HAML
@@ -111,22 +114,26 @@ gitlab Gemfile
  
  # Files attachments
  gem 'carrierwave', '~> 1.3'
-@@ -105,7 +105,7 @@
+@@ -111,7 +111,7 @@
  gem 'fog-aws', '~> 3.5'
  # Locked until fog-google resolves https://github.com/fog/fog-google/issues/421.
  # Also see config/initializers/fog_core_patch.rb.
 -gem 'fog-core', '= 2.1.0'
 +gem 'fog-core', '= 2.1'
- gem 'fog-google', '~> 1.8'
+ gem 'fog-google', '~> 1.9'
  gem 'fog-local', '~> 0.6'
  gem 'fog-openstack', '~> 1.0'
-@@ -119,39 +119,39 @@
+@@ -125,7 +125,7 @@
  gem 'unf', '~> 0.1.4'
  
  # Seed data
 -gem 'seed-fu', '~> 2.3.7'
 +gem 'seed-fu', '~> 2.3', '>= 2.3.7'
  
+ # Search
+ gem 'elasticsearch-model', '~> 0.1.9'
+@@ -136,35 +136,35 @@
+ 
  # Markdown and HTML processing
  gem 'html-pipeline', '~> 2.8'
 -gem 'deckar01-task_list', '2.2.0'
@@ -171,7 +178,7 @@ gitlab Gemfile
    gem 'unicorn-worker-killer', '~> 0.4.4'
  end
  
-@@ -168,13 +168,13 @@
+@@ -181,13 +181,13 @@
  gem 'acts-as-taggable-on', '~> 6.0'
  
  # Background jobs
@@ -180,7 +187,7 @@ gitlab Gemfile
  gem 'sidekiq-cron', '~> 1.0'
 -gem 'redis-namespace', '~> 1.6.0'
 +gem 'redis-namespace', '~> 1.6'
- gem 'gitlab-sidekiq-fetcher', '0.5.1', require: 'sidekiq-reliable-fetch'
+ gem 'gitlab-sidekiq-fetcher', '0.5.2', require: 'sidekiq-reliable-fetch'
  
  # Cron Parser
 -gem 'fugit', '~> 1.2.1'
@@ -188,7 +195,7 @@ gitlab Gemfile
  
  # HTTP requests
  gem 'httparty', '~> 0.16.4'
-@@ -186,14 +186,14 @@
+@@ -199,14 +199,14 @@
  gem 'ruby-progressbar'
  
  # GitLab settings
@@ -206,7 +213,7 @@ gitlab Gemfile
  
  # Export Ruby Regex to Javascript
  gem 'js_regex', '~> 3.1'
-@@ -206,13 +206,13 @@
+@@ -219,13 +219,13 @@
  gem 'connection_pool', '~> 2.0'
  
  # Redis session store
@@ -221,8 +228,8 @@ gitlab Gemfile
 +gem 'hipchat', '~> 1.5'
  
  # Jira integration
- gem 'jira-ruby', '~> 1.4'
+ gem 'jira-ruby', '~> 1.7'
-@@ -221,7 +221,7 @@
+@@ -235,7 +235,7 @@
  gem 'flowdock', '~> 0.7'
  
  # Slack integration
@@ -231,12 +238,12 @@ gitlab Gemfile
  
  # Hangouts Chat integration
  gem 'hangouts-chat', '~> 0.0.5'
-@@ -233,11 +233,11 @@
+@@ -247,11 +247,11 @@
  gem 'ruby-fogbugz', '~> 0.2.1'
  
  # Kubernetes integration
--gem 'kubeclient', '~> 4.2.2'
+-gem 'kubeclient', '~> 4.4.0'
-+gem 'kubeclient', '~> 4.2', '>= 4.2.2'
++gem 'kubeclient', '~> 4.4'
  
  # Sanitize user input
  gem 'sanitize', '~> 4.6'
@@ -245,7 +252,7 @@ gitlab Gemfile
  
  # Sanitizes SVG input
  gem 'loofah', '~> 2.2'
-@@ -246,10 +246,10 @@
+@@ -260,10 +260,10 @@
  gem 'licensee', '~> 8.9'
  
  # Protect against bruteforcing
@@ -258,7 +265,7 @@ gitlab Gemfile
  
  # Detect and convert string character encoding
  gem 'charlock_holmes', '~> 0.7.5'
-@@ -267,21 +267,21 @@
+@@ -281,10 +281,10 @@
  gem 'webpack-rails', '~> 0.9.10'
  gem 'rack-proxy', '~> 0.6.0'
  
@@ -272,11 +279,7 @@ gitlab Gemfile
  gem 'font-awesome-rails', '~> 4.7'
  gem 'gemojione', '~> 3.3'
  gem 'gon', '~> 6.2'
- gem 'request_store', '~> 1.3'
+@@ -296,7 +296,7 @@
--gem 'virtus', '~> 1.0.1'
-+gem 'virtus', '~> 1.0', '>=1.0.1'
- gem 'base32', '~> 0.3.0'
- 
  # Sentry integration
  gem 'sentry-raven', '~> 2.9'
  
@@ -284,8 +287,8 @@ gitlab Gemfile
 +gem 'premailer-rails', '~> 1.9', '>=1.9.7'
  
  # LabKit: Tracing and Correlation
- gem 'gitlab-labkit', '~> 0.4.2'
+ gem 'gitlab-labkit', '~> 0.5'
-@@ -289,14 +289,14 @@
+@@ -304,11 +304,11 @@
  # I18n
  gem 'ruby_parser', '~> 3.8', require: false
  gem 'rails-i18n', '~> 5.1'
@@ -299,12 +302,8 @@ gitlab Gemfile
 +gem 'batch-loader', '~> 1.4'
  
  # Perf bar
--gem 'peek', '~> 1.0.1'
+ # https://gitlab.com/gitlab-org/gitlab-ee/issues/13996
-+gem 'peek', '~> 1.0', '>= 1.0.1'
+@@ -347,62 +347,62 @@
- 
- # Snowplow events tracking
- gem 'snowplow-tracker', '~> 0.6.1'
-@@ -330,39 +330,39 @@
  end
  
  group :development, :test do
@@ -357,16 +356,14 @@ gitlab Gemfile
  
    gem 'scss_lint', '~> 0.56.0', require: false
    gem 'haml_lint', '~> 0.31.0', require: false
-@@ -370,7 +370,7 @@
+   gem 'simplecov', '~> 0.16.1', require: false
    gem 'bundler-audit', '~> 0.5.0', require: false
-   gem 'mdl', '~> 0.5.0', require: false
  
 -  gem 'benchmark-ips', '~> 2.3.0', require: false
 +  gem 'benchmark-ips', '~> 2.3', require: false
  
    gem 'license_finder', '~> 5.4', require: false
    gem 'knapsack', '~> 1.17'
-@@ -379,16 +379,16 @@
  
    gem 'stackprof', '~> 0.2.10', require: false
  
@@ -388,7 +385,7 @@ gitlab Gemfile
    gem 'rails-controller-testing'
    gem 'concurrent-ruby', '~> 1.1'
    gem 'test-prof', '~> 0.2.5'
-@@ -412,11 +412,11 @@
+@@ -426,11 +426,11 @@
  gem 'oauth2', '~> 1.4'
  
  # Health check
@@ -401,9 +398,9 @@ gitlab Gemfile
 +gem 'vmstat', '~> 2.3'
 +gem 'sys-filesystem', '~> 1.1', '>= 1.1.6'
  
- # SSH host key support
+ # NTP client
- gem 'net-ssh', '~> 5.2'
+ gem 'net-ntp'
-@@ -429,13 +429,13 @@
+@@ -446,13 +446,13 @@
  end
  
  # Gitaly GRPC protocol definitions

debian/patches/0100-remove-development-test.patch

@@ -2,15 +2,15 @@ Bundler will fail when it can't find these locally
 
 --- a/Gemfile
 +++ b/Gemfile
-@@ -86,7 +86,6 @@
+@@ -92,7 +92,6 @@
- gem 'graphql', '~> 1.8'
+ # https://gitlab.com/gitlab-org/gitlab-ce/issues/67263
  gem 'graphiql-rails', '~> 1.4', '>= 1.4.10'
  gem 'apollo_upload_server', '>= 2.0.0.beta3'
 -gem 'graphql-docs', '~> 1.6.0', group: [:development, :test]
  
  # Disable strong_params so that Mash does not respond to :permitted?
  gem 'hashie-forbidden_attributes'
-@@ -291,7 +290,6 @@
+@@ -306,7 +305,6 @@
  gem 'rails-i18n', '~> 5.1'
  gem 'gettext_i18n_rails', '~> 1.8'
  gem 'gettext_i18n_rails_js', '~> 1.3'
@@ -18,13 +18,14 @@ Bundler will fail when it can't find these locally
  
  gem 'batch-loader', '~> 1.4'
  
-@@ -314,21 +312,6 @@
+@@ -330,22 +328,6 @@
    gem 'raindrops', '~> 0.18'
  end
  
 -group :development do
 -  gem 'foreman', '~> 0.84.0'
 -  gem 'brakeman', '~> 4.2', require: false
+-  gem 'danger', '~> 6.0', require: false
 -
 -  gem 'letter_opener_web', '~> 1.3.4'
 -  gem 'rblineprof', '~> 0.3.6', platform: :mri, require: false

debian/patches/0110-make-test-dependencies-conditional.patch

@@ -1,6 +1,6 @@
 --- a/Gemfile
 +++ b/Gemfile
-@@ -312,7 +312,7 @@
+@@ -328,7 +328,7 @@
    gem 'raindrops', '~> 0.18'
  end
  
@@ -9,7 +9,7 @@
    gem 'bullet', '~> 5.5', require: !!ENV['ENABLE_BULLET']
    gem 'pry-byebug', '~> 3.5', '>= 3.5.1', platform: :mri
    gem 'pry-rails', '~> 0.3.4'
-@@ -365,9 +365,7 @@
+@@ -378,9 +378,7 @@
    gem 'simple_po_parser', '~> 1.1', '>= 1.1.2', require: false
  
    gem 'timecop', '~> 0.8.0'

debian/patches/0340-relax-httparty.patch

@@ -1,6 +1,6 @@
 --- a/Gemfile
 +++ b/Gemfile
-@@ -176,7 +176,7 @@
+@@ -189,7 +189,7 @@
  gem 'fugit', '~> 1.2', '>= 1.2.1'
  
  # HTTP requests

debian/patches/0430-remove-gitlab-markup.patch

@@ -1,6 +1,6 @@
 --- a/Gemfile
 +++ b/Gemfile
-@@ -123,7 +123,6 @@
+@@ -136,7 +136,6 @@
  # Markdown and HTML processing
  gem 'html-pipeline', '~> 2.8'
  gem 'deckar01-task_list', '2.2'

debian/patches/0440-remove-puma.patch

@@ -1,6 +1,6 @@
 --- a/Gemfile
 +++ b/Gemfile
-@@ -153,12 +153,6 @@
+@@ -166,12 +166,6 @@
    gem 'unicorn-worker-killer', '~> 0.4.4'
  end
  

debian/patches/0450-remove-bullet.patch

@@ -1,6 +1,6 @@
 --- a/Gemfile
 +++ b/Gemfile
-@@ -306,7 +306,6 @@
+@@ -322,7 +322,6 @@
  end
  
  if ENV["INCLUDE_TEST_DEPENDS"] == "true"

debian/patches/0460-embed-derailed-benchmarks.patch

@@ -1,6 +1,6 @@
 --- a/Gemfile
 +++ b/Gemfile
-@@ -293,7 +293,8 @@
+@@ -309,7 +309,8 @@
  gem 'snowplow-tracker', '~> 0.6.1'
  
  # Memory benchmarks

debian/patches/0480-embed-snowplow-tracker.patch

@@ -1,7 +1,7 @@
 --- a/Gemfile
 +++ b/Gemfile
-@@ -290,7 +290,7 @@
+@@ -306,7 +306,7 @@
- gem 'peek', '~> 1.0', '>= 1.0.1'
+ gem 'gitlab-peek', '~> 0.0.1', require: 'peek'
  
  # Snowplow events tracking
 -gem 'snowplow-tracker', '~> 0.6.1'

debian/patches/0482-relax-gitlab-labkit.patch

@@ -1,11 +0,0 @@
---- a/Gemfile
-+++ b/Gemfile
-@@ -276,7 +276,7 @@
- gem 'premailer-rails', '~> 1.9', '>=1.9.7'
- 
- # LabKit: Tracing and Correlation
--gem 'gitlab-labkit', '~> 0.4.2'
-+gem 'gitlab-labkit', '~> 0.5'
- 
- # I18n
- gem 'ruby_parser', '~> 3.8', require: false

debian/patches/0510-remove-dev-dependencies.patch

@@ -1,10 +1,10 @@
 --- a/package.json
 +++ b/package.json
-@@ -145,60 +145,6 @@
+@@ -147,62 +147,7 @@
      "xterm": "^3.5.0"
    },
    "devDependencies": {
--    "@babel/plugin-transform-modules-commonjs": "^7.2.0",
+-    "@babel/plugin-transform-modules-commonjs": "^7.5.0",
 -    "@gitlab/eslint-config": "^1.6.0",
 -    "@gitlab/eslint-plugin-i18n": "^1.1.0",
 -    "@gitlab/eslint-plugin-vue-i18n": "^1.2.0",
@@ -21,7 +21,6 @@
 -    "eslint": "~5.9.0",
 -    "eslint-import-resolver-jest": "^2.1.1",
 -    "eslint-import-resolver-webpack": "^0.10.1",
--    "eslint-plugin-html": "5.0.0",
 -    "eslint-plugin-import": "^2.14.0",
 -    "eslint-plugin-jasmine": "^2.10.1",
 -    "eslint-plugin-jest": "^22.3.0",
@@ -45,6 +44,7 @@
 -    "karma-mocha-reporter": "^2.2.5",
 -    "karma-sourcemap-loader": "^0.3.7",
 -    "karma-webpack": "^4.0.2",
+-    "markdownlint-cli": "0.18.0",
 -    "md5": "^2.2.1",
 -    "node-sass": "^4.12.0",
 -    "nodemon": "^1.18.9",
@@ -55,9 +55,12 @@
 -    "stylelint": "^10.1.0",
 -    "stylelint-config-recommended": "^2.2.0",
 -    "stylelint-scss": "^3.9.2",
+-    "timezone-mock": "^1.0.8",
 -    "vue-jest": "^4.0.0-beta.2",
 -    "webpack-dev-server": "^3.1.14",
 -    "yarn-deduplicate": "^1.1.1"
-   },
+-  },
++     },
    "resolutions": {
      "vue-jest/ts-jest": "24.0.0"
+   },

debian/patches/0520-add-system-lib-path-for-webpack.patch

@@ -1,6 +1,6 @@
 --- a/config/webpack.config.js
 +++ b/config/webpack.config.js
-@@ -126,9 +126,14 @@
+@@ -127,9 +127,14 @@
  
    resolve: {
      extensions: ['.js', '.gql', '.graphql'],

debian/patches/0730-install-graphql-tag.patch

@@ -3,7 +3,7 @@ Author: Utkarsh Gupta <guptautkarsh2102@gmail.com>
 
 --- a/package.json
 +++ b/package.json
-@@ -85,6 +85,7 @@
+@@ -86,6 +86,7 @@
      "fuzzaldrin-plus": "^0.5.0",
      "glob": "^7.1.2",
      "graphql": "^14.0.2",

debian/patches/0740-use-packaged-modules.patch

@@ -1,12 +1,12 @@
 --- a/package.json
 +++ b/package.json
-@@ -121,28 +121,17 @@
+@@ -122,29 +122,19 @@
      "style-loader": "^0.23.1",
      "svg4everybody": "2.1.9",
      "three": "^0.84.0",
 -    "three-orbit-controls": "^82.1.0",
 -    "three-stl-loader": "^1.0.4",
--    "timeago.js": "^3.0.2",
+     "timeago.js": "^3.0.2",
      "tiptap": "^1.8.0",
      "tiptap-commands": "^1.4.0",
      "tiptap-extensions": "^1.8.0",
@@ -20,6 +20,7 @@
      "vue-router": "^3.0.2",
      "vue-template-compiler": "^2.6.10",
      "vue-virtual-scroll-list": "^1.3.1",
+     "vuedraggable": "^2.23.0",
      "vuex": "^3.1.0",
 -    "webpack": "^4.29.0",
 -    "webpack-bundle-analyzer": "^3.3.2",
@@ -39,7 +40,7 @@
  const CopyWebpackPlugin = require('copy-webpack-plugin');
  
  const ROOT_PATH = '/usr/share/gitlab';
-@@ -126,12 +125,12 @@
+@@ -127,12 +126,12 @@
  
    resolve: {
      extensions: ['.js', '.gql', '.graphql'],
@@ -54,7 +55,7 @@
    },
  
    module: {
-@@ -338,16 +337,6 @@
+@@ -370,16 +369,6 @@
      // enable HMR only in webpack-dev-server
      DEV_SERVER_LIVERELOAD && new webpack.HotModuleReplacementPlugin(),
  
@@ -71,7 +72,7 @@
      new webpack.DefinePlugin({
        // This one is used to define window.gon.ee and other things properly in tests:
        'process.env.IS_GITLAB_EE': JSON.stringify(IS_EE),
-@@ -373,6 +362,7 @@
+@@ -405,6 +394,7 @@
  
    node: {
      fs: 'empty', // sqljs requires fs

debian/patches/0750-fix-relative-paths.patch

@@ -1,10 +1,12 @@
 --- a/config/initializers/1_settings.rb
 +++ b/config/initializers/1_settings.rb
-@@ -1,5 +1,5 @@
+@@ -1,6 +1,6 @@
 -require_relative '../settings'
 -require_relative '../object_store_settings'
+-require_relative '../smime_signature_settings'
 +require '/usr/share/gitlab/config/settings'
 +require '/usr/share/gitlab/config/object_store_settings'
++require '/usr/share/gitlab/config/smime_signature_settings'
  
  # Default settings
  Settings['ldap'] ||= Settingslogic.new({})

debian/patches/0760-bump-rubyzip.patch

@@ -5,7 +5,7 @@ Last-Update: 2019-11-19
 
 --- a/Gemfile
 +++ b/Gemfile
-@@ -61,7 +61,7 @@
+@@ -64,7 +64,7 @@
  
  # GitLab Pages
  gem 'validates_hostname', '~> 1.0', '>= 1.0.6'
@@ -16,7 +16,7 @@ Last-Update: 2019-11-19
  
 --- a/Gemfile.lock
 +++ b/Gemfile.lock
-@@ -845,7 +845,7 @@
+@@ -901,7 +901,7 @@
        sexp_processor (~> 4.9)
      rubyntlm (0.6.2)
      rubypants (0.2.0)
@@ -25,8 +25,8 @@ Last-Update: 2019-11-19
      rugged (0.28.3.1)
      safe_yaml (1.0.4)
      sanitize (4.6.6)
-@@ -1220,7 +1220,7 @@
+@@ -1291,7 +1291,7 @@
-   ruby-prof (~> 0.17.0)
+   ruby-prof (~> 1.0.0)
    ruby-progressbar
    ruby_parser (~> 3.8)
 -  rubyzip (~> 1.2.2)

debian/patches/0770-bump-node-d3.patch

@@ -10,7 +10,7 @@ Subject: [PATCH 1/2] Update d3 node module 4.13 -> 5.12
 
 --- a/package.json
 +++ b/package.json
-@@ -61,7 +61,7 @@
+@@ -62,7 +62,7 @@
      "core-js": "^3.1.3",
      "cropper": "^2.3.0",
      "css-loader": "^1.0.0",

debian/patches/CVE-2019-19254.patch

@@ -1,154 +0,0 @@
-From 5bdfcaa1c268aa475a11480a0ae33691f73a1a96 Mon Sep 17 00:00:00 2001
-From: Brandon Labuschagne <blabuschagne@gitlab.com>
-Date: Fri, 15 Nov 2019 14:39:29 +0000
-Subject: [PATCH 1/2] Ensure that summary items remain aligned
-
-Default number of items is 3. If this is not the case,
-then increase the column width of the summary items
-to cater for 2 items plus the date filter.
----
- .../javascripts/cycle_analytics/cycle_analytics_bundle.js   | 6 ++++++
- app/views/projects/cycle_analytics/show.html.haml           | 4 ++--
- 2 files changed, 8 insertions(+), 2 deletions(-)
-
---- a/app/assets/javascripts/cycle_analytics/cycle_analytics_bundle.js
-+++ b/app/assets/javascripts/cycle_analytics/cycle_analytics_bundle.js
-@@ -56,10 +56,16 @@
-         service: this.createCycleAnalyticsService(cycleAnalyticsEl.dataset.requestPath),
-       };
-     },
-+    defaultNumberOfSummaryItems: 3,
-     computed: {
-       currentStage() {
-         return this.store.currentActiveStage();
-       },
-+      summaryTableColumnClass() {
-+        return this.state.summary.length === this.$options.defaultNumberOfSummaryItems
-+          ? 'col-sm-3'
-+          : 'col-sm-4';
-+      },
-     },
-     created() {
-       // Conditional check placed here to prevent this method from being called on the
---- a/app/views/projects/cycle_analytics/show.html.haml
-+++ b/app/views/projects/cycle_analytics/show.html.haml
-@@ -14,10 +14,10 @@
-       .content-block
-         .container-fluid
-           .row
--            .col-sm-3.col-12.column{ "v-for" => "item in state.summary" }
-+            .col-12.column{ "v-for" => "item in state.summary", ":class" => "summaryTableColumnClass" }
-               %h3.header {{ item.value }}
-               %p.text {{ item.title }}
--            .col-sm-3.col-12.column
-+            .col-12.column{ ":class" => "summaryTableColumnClass" }
-               .dropdown.inline.js-ca-dropdown
-                 %button.dropdown-menu-toggle{ "data-toggle" => "dropdown", :type => "button" }
-                   %span.dropdown-label {{ n__('Last %d day', 'Last %d days', 30) }}
---- /dev/null
-+++ b/changelogs/unreleased/security-ag-cycle-analytics-guest-permissions.yml
-@@ -0,0 +1,5 @@
-+---
-+title: Hide commit counts from guest users in Cycle Analytics.
-+merge_request:
-+author:
-+type: security
---- a/lib/gitlab/cycle_analytics/stage_summary.rb
-+++ b/lib/gitlab/cycle_analytics/stage_summary.rb
-@@ -10,13 +10,29 @@
-       end
- 
-       def data
--        [serialize(Summary::Issue.new(project: @project, from: @from, current_user: @current_user)),
--         serialize(Summary::Commit.new(project: @project, from: @from)),
--         serialize(Summary::Deploy.new(project: @project, from: @from))]
-+        summary = [issue_stats]
-+        summary << commit_stats if user_has_sufficient_access?
-+        summary << deploy_stats
-       end
- 
-       private
- 
-+      def issue_stats
-+        serialize(Summary::Issue.new(project: @project, from: @from, current_user: @current_user))
-+      end
-+
-+      def commit_stats
-+        serialize(Summary::Commit.new(project: @project, from: @from))
-+      end
-+
-+      def deploy_stats
-+        serialize(Summary::Deploy.new(project: @project, from: @from))
-+      end
-+
-+      def user_has_sufficient_access?
-+        @project.team.member?(@current_user, Gitlab::Access::REPORTER)
-+      end
-+
-       def serialize(summary_object)
-         AnalyticsSummarySerializer.new.represent(summary_object)
-       end
---- a/spec/features/cycle_analytics_spec.rb
-+++ b/spec/features/cycle_analytics_spec.rb
-@@ -108,6 +108,10 @@
-       wait_for_requests
-     end
- 
-+    it 'does not show the commit stats' do
-+      expect(page).to have_no_selector(:xpath, commits_counter_selector)
-+    end
-+
-     it 'needs permissions to see restricted stages' do
-       expect(find('.stage-events')).to have_content(issue.title)
- 
-@@ -123,8 +127,12 @@
-     find(:xpath, "//p[contains(text(),'New Issue')]/preceding-sibling::h3")
-   end
- 
-+  def commits_counter_selector
-+    "//p[contains(text(),'Commits')]/preceding-sibling::h3"
-+  end
-+
-   def commits_counter
--    find(:xpath, "//p[contains(text(),'Commits')]/preceding-sibling::h3")
-+    find(:xpath, commits_counter_selector)
-   end
- 
-   def deploys_counter
---- a/spec/lib/gitlab/cycle_analytics/stage_summary_spec.rb
-+++ b/spec/lib/gitlab/cycle_analytics/stage_summary_spec.rb
-@@ -8,6 +8,10 @@
-   let(:user) { create(:user, :admin) }
-   subject { described_class.new(project, from: Time.now, current_user: user).data }
- 
-+  before do
-+    project.add_maintainer(user)
-+  end
-+
-   describe "#new_issues" do
-     it "finds the number of issues created after the 'from date'" do
-       Timecop.freeze(5.days.ago) { create(:issue, project: project) }
-@@ -42,6 +46,23 @@
- 
-       expect(subject.second[:value]).to eq(100)
-     end
-+
-+    context 'when a guest user is signed in' do
-+      let(:guest_user) { create(:user) }
-+
-+      before do
-+        project.add_guest(guest_user)
-+      end
-+
-+      it 'does not include commit stats' do
-+        data = described_class.new(project, from: from, current_user: guest_user).data
-+        expect(includes_commits?(data)).to be_falsy
-+      end
-+
-+      def includes_commits?(data)
-+        data.any? { |h| h["title"] == 'Commits' }
-+      end
-+    end
-   end
- 
-   describe "#deploys" do

debian/patches/CVE-2019-19257.patch

@@ -1,181 +0,0 @@
-From debb36496b4805beae28262fbb24a692018178e2 Mon Sep 17 00:00:00 2001
-From: Kerri Miller <kerrizor@kerrizor.com>
-Date: Fri, 25 Oct 2019 07:46:40 -0500
-Subject: [PATCH] Restrict branches visible to guests in Issue feed
-
-Notes related to branch creation should not be shown in an issue's
-activity feed when the user doesn't have access to :download_code.
----
- app/models/note.rb                            | 15 ++++-
- ...er-related-branches-from-activity-feed.yml |  6 ++
- .../projects/issues_controller_spec.rb        | 37 +++++++++++
- spec/models/note_spec.rb                      | 64 +++++++++++++++++++
- 4 files changed, 121 insertions(+), 1 deletion(-)
- create mode 100644 changelogs/unreleased/security-filter-related-branches-from-activity-feed.yml
-
---- a/app/models/note.rb
-+++ b/app/models/note.rb
-@@ -40,6 +40,10 @@
- 
-   redact_field :note
- 
-+  TYPES_RESTRICTED_BY_ABILITY = {
-+    branch: :download_code
-+  }.freeze
-+
-   # Aliases to make application_helper#edited_time_ago_with_tooltip helper work properly with notes.
-   # See https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/10392/diffs#note_28719102
-   alias_attribute :last_edited_at, :updated_at
-@@ -333,7 +337,7 @@
-   end
- 
-   def visible_for?(user)
--    !cross_reference_not_visible_for?(user)
-+    !cross_reference_not_visible_for?(user) && system_note_viewable_by?(user)
-   end
- 
-   def award_emoji?
-@@ -485,6 +489,15 @@
- 
-   private
- 
-+  def system_note_viewable_by?(user)
-+    return true unless system_note_metadata
-+
-+    restriction = TYPES_RESTRICTED_BY_ABILITY[system_note_metadata.action.to_sym]
-+    return Ability.allowed?(user, restriction, project) if restriction
-+
-+    true
-+  end
-+
-   def keep_around_commit
-     project.repository.keep_around(self.commit_id)
-   end
---- /dev/null
-+++ b/changelogs/unreleased/security-filter-related-branches-from-activity-feed.yml
-@@ -0,0 +1,6 @@
-+---
-+title: Remove notes regarding Related Branches from Issue activity feeds for guest
-+  users
-+merge_request:
-+author:
-+type: security
---- a/spec/controllers/projects/issues_controller_spec.rb
-+++ b/spec/controllers/projects/issues_controller_spec.rb
-@@ -1343,6 +1343,43 @@
-           expect { get :discussions, params: { namespace_id: project.namespace, project_id: project, id: issue.iid } }.not_to exceed_query_limit(control_count)
-         end
-       end
-+
-+      context 'private project' do
-+        let!(:branch_note) { create(:discussion_note_on_issue, :system, noteable: issue, project: project) }
-+        let!(:commit_note) { create(:discussion_note_on_issue, :system, noteable: issue, project: project) }
-+        let!(:branch_note_meta) { create(:system_note_metadata, note: branch_note, action: "branch") }
-+        let!(:commit_note_meta) { create(:system_note_metadata, note: commit_note, action: "commit") }
-+
-+        context 'user is allowed access' do
-+          before do
-+            project.add_user(user, :maintainer)
-+          end
-+
-+          it 'displays all available notes' do
-+            get :discussions, params: { namespace_id: project.namespace, project_id: project, id: issue.iid }
-+
-+            expect(json_response.length).to eq(3)
-+          end
-+        end
-+
-+        context 'user is a guest' do
-+          let(:json_response_note_ids) do
-+            json_response.collect { |discussion| discussion["notes"] }.flatten
-+              .collect { |note| note["id"].to_i }
-+          end
-+
-+          before do
-+            project.add_guest(user)
-+          end
-+
-+          it 'does not display notes w/type listed in TYPES_RESTRICTED_BY_ACCESS_LEVEL' do
-+            get :discussions, params: { namespace_id: project.namespace, project_id: project, id: issue.iid }
-+
-+            expect(json_response.length).to eq(2)
-+            expect(json_response_note_ids).not_to include(branch_note.id)
-+          end
-+        end
-+      end
-     end
-   end
- 
---- a/spec/models/note_spec.rb
-+++ b/spec/models/note_spec.rb
-@@ -246,6 +246,70 @@
-     end
-   end
- 
-+  describe "#visible_for?" do
-+    using RSpec::Parameterized::TableSyntax
-+
-+    let(:note) { create(:note) }
-+    let(:user) { create(:user) }
-+
-+    where(:cross_reference_visible, :system_note_viewable, :result) do
-+      true  | true  | false
-+      false | true  | true
-+      false | false | false
-+    end
-+
-+    with_them do
-+      it "returns expected result" do
-+        expect(note).to receive(:cross_reference_not_visible_for?).and_return(cross_reference_visible)
-+
-+        unless cross_reference_visible
-+          expect(note).to receive(:system_note_viewable_by?)
-+            .with(user).and_return(system_note_viewable)
-+        end
-+
-+        expect(note.visible_for?(user)).to eq result
-+      end
-+    end
-+  end
-+
-+  describe "#system_note_viewable_by?(user)" do
-+    let(:note) { create(:note) }
-+    let(:user) { create(:user) }
-+    let!(:metadata) { create(:system_note_metadata, note: note, action: "branch") }
-+
-+    context "when system_note_metadata is not present" do
-+      it "returns true" do
-+        expect(note).to receive(:system_note_metadata).and_return(nil)
-+
-+        expect(note.send(:system_note_viewable_by?, user)).to be_truthy
-+      end
-+    end
-+
-+    context "system_note_metadata isn't of type 'branch'" do
-+      before do
-+        metadata.action = "not_a_branch"
-+      end
-+
-+      it "returns true" do
-+        expect(note.send(:system_note_viewable_by?, user)).to be_truthy
-+      end
-+    end
-+
-+    context "user doesn't have :download_code ability" do
-+      it "returns false" do
-+        expect(note.send(:system_note_viewable_by?, user)).to be_falsey
-+      end
-+    end
-+
-+    context "user has the :download_code ability" do
-+      it "returns true" do
-+        expect(Ability).to receive(:allowed?).with(user, :download_code, note.project).and_return(true)
-+
-+        expect(note.send(:system_note_viewable_by?, user)).to be_truthy
-+      end
-+    end
-+  end
-+
-   describe "cross_reference_not_visible_for?" do
-     let(:private_user)    { create(:user) }
-     let(:private_project) { create(:project, namespace: private_user.namespace) { |p| p.add_maintainer(private_user) } }

debian/patches/series

@@ -10,7 +10,6 @@
 0470-relax-bootsnap.patch
 0480-embed-snowplow-tracker.patch
 0481-relax-contracts-dependency-of-snowplow.patch
-0482-relax-gitlab-labkit.patch
 0500-set-webpack-root.patch
 0510-remove-dev-dependencies.patch
 0520-add-system-lib-path-for-webpack.patch
@@ -28,5 +27,3 @@
 0750-fix-relative-paths.patch
 0760-bump-rubyzip.patch
 0770-bump-node-d3.patch
-CVE-2019-19254.patch
-CVE-2019-19257.patch