From 32bbedbc214c30979168c8005c83259feb468540 Mon Sep 17 00:00:00 2001
From: GitLab Bot <gitlab-bot@gitlab.com>
Date: Thu, 31 Mar 2022 21:08:16 +0000
Subject: [PATCH] Add latest changes from gitlab-org/gitlab@master

---
 .eslintrc.yml                                 |   6 +
 .../merge_request_templates/Documentation.md  |  18 +-
 CHANGELOG.md                                  |  77 ++++++
 GITLAB_PAGES_VERSION                          |   2 +-
 Gemfile                                       |   2 +-
 Gemfile.lock                                  |   8 +-
 .../diagram_performance_warning.vue           |  25 ++
 .../behaviors/markdown/constants.js           |  16 ++
 .../behaviors/markdown/render_gfm.js          |   2 +
 .../behaviors/markdown/render_kroki.js        |  63 +++++
 .../behaviors/markdown/render_mermaid.js      |  21 +-
 .../markdown/render_sandboxed_mermaid.js      |  20 +-
 app/assets/javascripts/blob/openapi/index.js  |   7 +-
 .../crm/components/contact_form.vue           | 224 ------------------
 .../javascripts/crm/components/form.vue       |  67 ++++--
 .../crm/components/new_organization_form.vue  | 164 -------------
 .../bundle.js}                                |   0
 .../components/contact_form_wrapper.vue       |  78 ++++++
 .../components/contacts_root.vue              |  93 +++-----
 .../graphql}/create_contact.mutation.graphql  |   0
 .../crm_contact_fields.fragment.graphql       |   0
 .../graphql}/get_group_contacts.query.graphql |   0
 .../graphql}/update_contact.mutation.graphql  |   0
 .../javascripts/crm/{ => contacts}/routes.js  |   6 +-
 .../bundle.js}                                |   0
 .../create_organization.mutation.graphql      |   0
 .../crm_organization_fields.fragment.graphql  |   0
 .../get_group_organizations.query.graphql     |   0
 .../update_organization.mutation.graphql      |  10 +
 .../components/organization_form_wrapper.vue  |  80 +++++++
 .../components/organizations_root.vue         |  58 ++---
 .../javascripts/crm/organizations/routes.js   |  20 ++
 .../javascripts/graphql_shared/constants.js   |   1 +
 .../javascripts/lib/utils/text_markdown.js    |   4 +-
 .../pages/groups/crm/contacts/index.js        |   2 +-
 .../pages/groups/crm/organizations/index.js   |   2 +-
 .../runner/components/runner_jobs.vue         |   2 +-
 .../runner/components/runner_projects.vue     |   2 +-
 .../components/feature_card.vue               |  10 +-
 .../list/components/issuable_list_root.vue    |   7 +-
 .../groups/crm/organizations_controller.rb    |   4 +
 .../merge_requests/creations_controller.rb    |   2 +-
 app/models/ci/pipeline.rb                     |   2 +
 app/models/ci/runner.rb                       |   7 +
 app/models/integrations/asana.rb              |  15 +-
 app/models/releases/link.rb                   |  12 +-
 app/models/ssh_host_key.rb                    |  36 ++-
 app/models/user.rb                            |  17 ++
 app/policies/project_policy.rb                |  10 +-
 .../quick_actions/interpret_service.rb        |   3 +
 app/views/groups/crm/contacts/index.html.haml |   8 +-
 .../groups/crm/organizations/index.html.haml  |   8 +-
 config/initializers/rdoc_segfault_patch.rb    |  21 ++
 config/routes/group.rb                        |   2 +-
 db/fixtures/development/18_abuse_reports.rb   |   2 +-
 doc/ci/variables/predefined_variables.md      |   1 +
 doc/user/crm/crm_contacts_v14_10.png          | Bin 0 -> 18015 bytes
 doc/user/crm/crm_contacts_v14_6.png           | Bin 19864 -> 0 bytes
 doc/user/crm/crm_organizations_v14_10.png     | Bin 0 -> 13787 bytes
 doc/user/crm/crm_organizations_v14_6.png      | Bin 8244 -> 0 bytes
 doc/user/crm/index.md                         |   4 +-
 lib/banzai/filter/kroki_filter.rb             |  12 +-
 lib/banzai/filter/syntax_highlight_filter.rb  |   2 +-
 lib/banzai/pipeline/gfm_pipeline.rb           |   2 +-
 lib/banzai/reference_redactor.rb              |   7 +-
 lib/gitlab/auth/o_auth/user.rb                |   4 +-
 lib/gitlab/ci/config/external/context.rb      |  10 +
 .../ci/config/external/file/artifact.rb       |   2 +-
 lib/gitlab/ci/config/external/file/base.rb    |  14 +-
 lib/gitlab/ci/config/external/file/local.rb   |   6 +-
 lib/gitlab/ci/config/external/file/project.rb |   4 +-
 lib/gitlab/ci/config/external/file/remote.rb  |  10 +-
 .../ci/config/external/file/template.rb       |   2 +-
 lib/gitlab/ci/config/external/mapper.rb       |   6 +-
 .../batched_migration_wrapper.rb              |  83 +------
 .../prometheus_metrics.rb                     |  93 ++++++++
 lib/gitlab/error_tracking.rb                  |   3 +-
 .../concerns/processes_exceptions.rb          |  40 ++++
 .../processor/grpc_error_processor.rb         |  30 +--
 .../sanitize_error_message_processor.rb       |  27 +++
 lib/gitlab/exception_log_formatter.rb         |   6 +-
 lib/gitlab/import_export/members_mapper.rb    |  65 +++--
 lib/gitlab/password.rb                        |  14 --
 lib/gitlab/sanitizers/exception_message.rb    |  19 ++
 lib/tasks/gitlab/seed/group_seed.rake         |   2 +-
 locale/gitlab.pot                             |  52 ++--
 package.json                                  |   2 +-
 .../admin/users_controller_spec.rb            |   4 +-
 .../creations_controller_spec.rb              |  18 ++
 .../projects/mirrors_controller_spec.rb       |   1 +
 .../registrations_controller_spec.rb          |   4 +-
 spec/factories/users.rb                       |   6 +-
 spec/features/markdown/kroki_spec.rb          |  55 +++++
 spec/features/password_reset_spec.rb          |   4 +-
 spec/features/profile_spec.rb                 |   2 +-
 spec/features/profiles/password_spec.rb       |   8 +-
 .../features/projects/blobs/blob_show_spec.rb |  47 ++++
 .../projects/blobs/blob_show_spec.rb          |  47 ++++
 .../features/users/anonymous_sessions_spec.rb |   2 +-
 spec/features/users/login_spec.rb             |  45 +++-
 .../markdown_golden_master_examples.yml       |   2 +-
 .../diagram_performance_warning_spec.js       |  40 ++++
 spec/frontend/crm/contact_form_spec.js        | 157 ------------
 .../frontend/crm/contact_form_wrapper_spec.js |  88 +++++++
 spec/frontend/crm/contacts_root_spec.js       |  77 +-----
 spec/frontend/crm/form_spec.js                |  51 ++--
 spec/frontend/crm/mock_data.js                |  25 ++
 .../crm/new_organization_form_spec.js         | 109 ---------
 .../crm/organization_form_wrapper_spec.js     |  88 +++++++
 spec/frontend/crm/organizations_root_spec.js  |  51 +---
 .../ide/components/ide_side_bar_spec.js       |   2 +-
 spec/frontend/lib/utils/text_markdown_spec.js |   8 +-
 .../runner/components/runner_jobs_spec.js     |   2 +-
 .../runner/components/runner_projects_spec.js |   2 +-
 .../components/issuable_list_root_spec.js     |   7 +-
 ...oject_pipeline_statistics_resolver_spec.rb |  70 +++++-
 spec/initializers/rdoc_segfault_patch_spec.rb |  24 ++
 spec/lib/banzai/filter/kroki_filter_spec.rb   |  12 +-
 .../filter/syntax_highlight_filter_spec.rb    |   6 +
 spec/lib/banzai/reference_redactor_spec.rb    |   2 +-
 spec/lib/gitlab/auth_spec.rb                  |  30 +--
 .../ci/config/external/file/artifact_spec.rb  |   8 +-
 .../ci/config/external/file/base_spec.rb      |   8 +-
 .../ci/config/external/file/local_spec.rb     |  23 +-
 .../ci/config/external/file/project_spec.rb   |  16 +-
 .../ci/config/external/file/remote_spec.rb    |  15 +-
 .../ci/config/external/file/template_spec.rb  |   6 +-
 .../gitlab/ci/config/external/mapper_spec.rb  |   8 +-
 .../batched_migration_wrapper_spec.rb         |  97 ++------
 .../prometheus_metrics_spec.rb                | 118 +++++++++
 .../sanitize_error_message_processor_spec.rb  |  53 +++++
 spec/lib/gitlab/error_tracking_spec.rb        |  56 +++++
 .../gitlab/exception_log_formatter_spec.rb    |   8 +
 .../import_export/members_mapper_spec.rb      |  53 ++++-
 .../sanitizers/exception_message_spec.rb      |  54 +++++
 spec/mailers/emails/profile_spec.rb           |   2 +-
 spec/models/ci/pipeline_spec.rb               |  22 ++
 spec/models/ci/runner_spec.rb                 |  14 +-
 spec/models/hooks/system_hook_spec.rb         |   2 +-
 spec/models/integrations/asana_spec.rb        |  36 ++-
 spec/models/releases/link_spec.rb             |  11 +
 spec/models/ssh_host_key_spec.rb              |  45 +++-
 spec/models/user_spec.rb                      |  34 ++-
 spec/policies/project_policy_spec.rb          | 161 ++++++++++++-
 .../api/ci/runner/runners_post_spec.rb        |  50 +++-
 spec/requests/api/ci/runners_spec.rb          |  13 +
 spec/requests/api/users_spec.rb               |  14 +-
 spec/requests/git_http_spec.rb                |   4 +-
 .../groups/crm/contacts_controller_spec.rb    |  15 +-
 .../crm/organizations_controller_spec.rb      |  15 +-
 .../creation_errors_and_warnings_spec.rb      |  18 ++
 .../quick_actions/interpret_service_spec.rb   |  13 +
 spec/services/users/create_service_spec.rb    |  14 +-
 spec/support/helpers/login_helpers.rb         |   5 +-
 .../policies/project_policy_shared_context.rb |   8 +-
 .../project_policy_shared_examples.rb         |  13 +
 spec/tasks/gitlab/password_rake_spec.rb       |   8 +-
 yarn.lock                                     |   8 +-
 158 files changed, 2467 insertions(+), 1445 deletions(-)
 create mode 100644 app/assets/javascripts/behaviors/components/diagram_performance_warning.vue
 create mode 100644 app/assets/javascripts/behaviors/markdown/render_kroki.js
 delete mode 100644 app/assets/javascripts/crm/components/contact_form.vue
 delete mode 100644 app/assets/javascripts/crm/components/new_organization_form.vue
 rename app/assets/javascripts/crm/{contacts_bundle.js => contacts/bundle.js} (100%)
 create mode 100644 app/assets/javascripts/crm/contacts/components/contact_form_wrapper.vue
 rename app/assets/javascripts/crm/{ => contacts}/components/contacts_root.vue (55%)
 rename app/assets/javascripts/crm/{components/queries => contacts/components/graphql}/create_contact.mutation.graphql (100%)
 rename app/assets/javascripts/crm/{components/queries => contacts/components/graphql}/crm_contact_fields.fragment.graphql (100%)
 rename app/assets/javascripts/crm/{components/queries => contacts/components/graphql}/get_group_contacts.query.graphql (100%)
 rename app/assets/javascripts/crm/{components/queries => contacts/components/graphql}/update_contact.mutation.graphql (100%)
 rename app/assets/javascripts/crm/{ => contacts}/routes.js (56%)
 rename app/assets/javascripts/crm/{organizations_bundle.js => organizations/bundle.js} (100%)
 rename app/assets/javascripts/crm/{components/queries => organizations/components/graphql}/create_organization.mutation.graphql (100%)
 rename app/assets/javascripts/crm/{components/queries => organizations/components/graphql}/crm_organization_fields.fragment.graphql (100%)
 rename app/assets/javascripts/crm/{components/queries => organizations/components/graphql}/get_group_organizations.query.graphql (100%)
 create mode 100644 app/assets/javascripts/crm/organizations/components/graphql/update_organization.mutation.graphql
 create mode 100644 app/assets/javascripts/crm/organizations/components/organization_form_wrapper.vue
 rename app/assets/javascripts/crm/{ => organizations}/components/organizations_root.vue (72%)
 create mode 100644 app/assets/javascripts/crm/organizations/routes.js
 create mode 100644 config/initializers/rdoc_segfault_patch.rb
 create mode 100644 doc/user/crm/crm_contacts_v14_10.png
 delete mode 100644 doc/user/crm/crm_contacts_v14_6.png
 create mode 100644 doc/user/crm/crm_organizations_v14_10.png
 delete mode 100644 doc/user/crm/crm_organizations_v14_6.png
 create mode 100644 lib/gitlab/database/background_migration/prometheus_metrics.rb
 create mode 100644 lib/gitlab/error_tracking/processor/concerns/processes_exceptions.rb
 create mode 100644 lib/gitlab/error_tracking/processor/sanitize_error_message_processor.rb
 delete mode 100644 lib/gitlab/password.rb
 create mode 100644 lib/gitlab/sanitizers/exception_message.rb
 create mode 100644 spec/features/markdown/kroki_spec.rb
 create mode 100644 spec/frontend/behaviors/components/diagram_performance_warning_spec.js
 delete mode 100644 spec/frontend/crm/contact_form_spec.js
 create mode 100644 spec/frontend/crm/contact_form_wrapper_spec.js
 delete mode 100644 spec/frontend/crm/new_organization_form_spec.js
 create mode 100644 spec/frontend/crm/organization_form_wrapper_spec.js
 create mode 100644 spec/initializers/rdoc_segfault_patch_spec.rb
 create mode 100644 spec/lib/gitlab/database/background_migration/prometheus_metrics_spec.rb
 create mode 100644 spec/lib/gitlab/error_tracking/processor/sanitize_error_message_processor_spec.rb
 create mode 100644 spec/lib/gitlab/sanitizers/exception_message_spec.rb

diff --git a/.eslintrc.yml b/.eslintrc.yml
index f5814639b36..7f45fd912a9 100644
--- a/.eslintrc.yml
+++ b/.eslintrc.yml
@@ -93,6 +93,10 @@ rules:
           group: internal
       alphabetize:
         order: ignore
+  'no-restricted-syntax':
+    - error
+    - selector: ImportSpecifier[imported.name='GlSkeletonLoading']
+      message: 'Migrate to GlSkeletonLoader, or import GlDeprecatedSkeletonLoading.'
 overrides:
   - files:
     - '{,ee/,jh/}spec/frontend*/**/*'
@@ -107,6 +111,8 @@ overrides:
           message: 'Using $nextTick from a component instance is discouraged. Import nextTick directly from the Vue package.'
         - selector: Identifier[name='setImmediate']
           message: 'Prefer explicit waitForPromises (or equivalent), or jest.runAllTimers (or equivalent) to vague setImmediate calls.'
+        - selector: ImportSpecifier[imported.name='GlSkeletonLoading']
+          message: 'Migrate to GlSkeletonLoader, or import GlDeprecatedSkeletonLoading.'
   - files:
       - 'config/**/*'
       - 'scripts/**/*'
diff --git a/.gitlab/merge_request_templates/Documentation.md b/.gitlab/merge_request_templates/Documentation.md
index d3ea9682d34..49d1d0f79bf 100644
--- a/.gitlab/merge_request_templates/Documentation.md
+++ b/.gitlab/merge_request_templates/Documentation.md
@@ -8,17 +8,17 @@
 
 ## Author's checklist
 
-- [ ] Consider taking [the GitLab Technical Writing Fundamentals course](https://gitlab.edcast.com/pathways/ECL-02528ee2-c334-4e16-abf3-e9d8b8260de4).
+- [ ] Optional. Consider taking [the GitLab Technical Writing Fundamentals course](https://gitlab.edcast.com/pathways/ECL-02528ee2-c334-4e16-abf3-e9d8b8260de4).
 - [ ] Follow the:
   - [Documentation process](https://docs.gitlab.com/ee/development/documentation/workflow.html).
   - [Documentation guidelines](https://docs.gitlab.com/ee/development/documentation/).
   - [Style Guide](https://docs.gitlab.com/ee/development/documentation/styleguide/).
-- [ ] Ensure that the [product tier badge](https://docs.gitlab.com/ee/development/documentation/styleguide/index.html#product-tier-badges) is added to topic's `h1`.
-- [ ] [Request a review](https://docs.gitlab.com/ee/development/code_review.html#dogfooding-the-reviewers-feature) based on:
-  - The documentation page's [metadata](https://docs.gitlab.com/ee/development/documentation/#metadata).
-  - The [associated Technical Writer](https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments).
+- [ ] If you're adding or changing the main heading of the page (H1), ensure that the [product tier badge](https://docs.gitlab.com/ee/development/documentation/styleguide/index.html#product-tier-badges) is added.
+- [ ] If you are a GitLab team member, [request a review](https://docs.gitlab.com/ee/development/code_review.html#dogfooding-the-attention-request-feature) based on:
+    - The documentation page's [metadata](https://docs.gitlab.com/ee/development/documentation/#metadata).
+    - The [associated Technical Writer](https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments).
 
-If you are only adding documentation, do not add any of the following labels:
+If you are a GitLab team member and only adding documentation, do not add any of the following labels:
 
 - `~"frontend"`
 - `~"backend"`
@@ -27,7 +27,7 @@ If you are only adding documentation, do not add any of the following labels:
 
 These labels cause the MR to be added to code verification QA issues.
 
-## Review checklist
+## Reviewer's checklist
 
 Documentation-related MRs should be reviewed by a Technical Writer for a non-blocking review, based on [Documentation Guidelines](https://docs.gitlab.com/ee/development/documentation/) and the [Style Guide](https://docs.gitlab.com/ee/development/documentation/styleguide/).
 
@@ -35,13 +35,13 @@ Documentation-related MRs should be reviewed by a Technical Writer for a non-blo
 - Technical writer review items:
   - [ ] Ensure docs metadata is present and up-to-date.
   - [ ] Ensure the appropriate [labels](https://about.gitlab.com/handbook/engineering/ux/technical-writing/workflow/#labels) are added to this MR.
+  - [ ] Ensure a release milestone is set.
   - If relevant to this MR, ensure [content topic type](https://docs.gitlab.com/ee/development/documentation/structure.html) principles are in use, including:
     - [ ] The headings should be something you'd do a Google search for. Instead of `Default behavior`, say something like `Default behavior when you close an issue`.
     - [ ] The headings (other than the page title) should be active. Instead of `Configuring GDK`, say something like `Configure GDK`.
     - [ ] Any task steps should be written as a numbered list.
     - If the content still needs to be edited for topic types, you can create a follow-up issue with the ~"docs-technical-debt" label.
 - [ ] Review by assigned maintainer, who can always request/require the reviews above. Maintainer's review can occur before or after a technical writer review.
-- [ ] Ensure a release milestone is set.
 
-/label ~documentation ~"type::maintenance"
+/label ~documentation ~"type::maintenance" ~"docs::improvement"
 /assign me
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 529a3904a0a..add5cacce7b 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,31 @@
 documentation](doc/development/changelog.md) for instructions on adding your own
 entry.
 
+## 14.9.2 (2022-03-31)
+
+### Security (20 changes)
+
+- [Quarantine UsageDataNonSqlMetrics failing test](gitlab-org/security/gitlab@123fc00ff9f407284ce05007ddc373e1bd0aeede) ([merge request](gitlab-org/security/gitlab!2364))
+- [Disallow login if password matches a fixed list](gitlab-org/security/gitlab@1a128ae3fb17b3d83974bb08034e4ba7a7d54e3b) ([merge request](gitlab-org/security/gitlab!2357))
+- [Update devise-two-factor to 4.0.2](gitlab-org/security/gitlab@17c70b13dcd437c05de63b3286245af8e6f42210) ([merge request](gitlab-org/security/gitlab!2349))
+- [Limit the number of tags associated with a CI runner](gitlab-org/security/gitlab@ed5daced882a0206e050c4f676a888ac1c2417b1) ([merge request](gitlab-org/security/gitlab!2303))
+- [GitLab Pages Security Updates for 14.9](gitlab-org/security/gitlab@79709cabf71a57a336f490636a7e32a208fe0229) ([merge request](gitlab-org/security/gitlab!2327))
+- [Upgrade swagger-ui dependency](gitlab-org/security/gitlab@14280c1d844be3ffc2f30f5321a818a7b6c51770) ([merge request](gitlab-org/security/gitlab!2336))
+- [Modify release link format check to avoid regex if string is too long](gitlab-org/security/gitlab@f516d883b46e1441410476dc140d69fde51cdf0f) ([merge request](gitlab-org/security/gitlab!2307))
+- [Masks variables in error messages](gitlab-org/security/gitlab@9cf62118390c0cfba3d36a4231a30a7836f06e2f) ([merge request](gitlab-org/security/gitlab!2308))
+- [Escape user provided string to prevent XSS](gitlab-org/security/gitlab@2da3502aef64ed1b01c13d82418950cf284098c6) ([merge request](gitlab-org/security/gitlab!2313))
+- [Monkey patch of RDoc to prevent Ruby segfault](gitlab-org/security/gitlab@0ae4925089a1b5fd7c9abeeb0756b3a50e05799a) ([merge request](gitlab-org/security/gitlab!2321))
+- [Project import maps members' created_by_id users based on source user ID](gitlab-org/security/gitlab@3826f2a7c652d3f74e45bfef8888601ca1c86ba1) ([merge request](gitlab-org/security/gitlab!2301))
+- [Redact InvalidURIError error messages](gitlab-org/security/gitlab@59b60e9cf8f79d6f41000d34a4434c5a04988030) ([merge request](gitlab-org/security/gitlab!2295))
+- [Fix access for approval rules API](gitlab-org/security/gitlab@7890215aa29624cd67c5bc8ac25175f2866479b7) ([merge request](gitlab-org/security/gitlab!2322))
+- [Fix kroki exploit](gitlab-org/security/gitlab@b2a44b407ab85ca056a271ba4e708128ef08d25f) ([merge request](gitlab-org/security/gitlab!2306))
+- [Fix blind SSRF when looking up SSH host keys for mirroring](gitlab-org/security/gitlab@5a9509b52584302c508bd6dff1454f80aae371ea) ([merge request](gitlab-org/security/gitlab!2309))
+- [Escape original content in reference redactor](gitlab-org/security/gitlab@b33b170a2c2df8285999f3631e8a53d35e0eed22) ([merge request](gitlab-org/security/gitlab!2317))
+- [Security fix for CI/CD analytics visibility](gitlab-org/security/gitlab@f3febd00b440475b2aca0b9bd6728fa5f8750288) ([merge request](gitlab-org/security/gitlab!2304))
+- [Latest commit exposed through fork of a private project](gitlab-org/security/gitlab@3f20d4f294a12ceb33bec19d86790f582fb7fb48) ([merge request](gitlab-org/security/gitlab!2294))
+- [Fix Asana integration restricted branch filter](gitlab-org/security/gitlab@08aa0f55b1b715f7311ee6502cd6f8a1b875f878) ([merge request](gitlab-org/security/gitlab!2300))
+- [Revert "JH need more complex passwords"](gitlab-org/security/gitlab@e2fb87ec5d4e235d6b83454980cec9c049849a1c) ([merge request](gitlab-org/security/gitlab!2352))
+
 ## 14.9.1 (2022-03-23)
 
 ### Fixed (1 change)
@@ -604,6 +629,32 @@ entry.
 - [Clean up issue_boards_filtered_search feature flag](gitlab-org/gitlab@a97ed09ffb0d88007b21a314ab48b2e50d7c4bfa) ([merge request](gitlab-org/gitlab!80771))
 - [Add table for storing issue tsvector](gitlab-org/gitlab@ceabf5a8ad0d67768b05a58a84b242495645a57c) ([merge request](gitlab-org/gitlab!71913))
 
+## 14.8.5 (2022-03-31)
+
+### Security (21 changes)
+
+- [Update to commonmarker 0.23.4](gitlab-org/security/gitlab@51532ccc5f1b6b053d4ca6c54496607e62f8f25c) ([merge request](gitlab-org/security/gitlab!2282))
+- [Revert merge request approval groups behavior](gitlab-org/security/gitlab@dd9724e429033974da6c3852dc6fd33f0f2b0a46) ([merge request](gitlab-org/security/gitlab!2334))
+- [Disallow login if password matches a fixed list](gitlab-org/security/gitlab@6779d5f2948425a7ad7f19a6e10f82cc10b80989) ([merge request](gitlab-org/security/gitlab!2358))
+- [Update devise-two-factor to 4.0.2](gitlab-org/security/gitlab@0329d2d82a9064c0bae36e7b993ee40df7c999bc) ([merge request](gitlab-org/security/gitlab!2350))
+- [Limit the number of tags associated with a CI runner](gitlab-org/security/gitlab@8d5938c08fe66c22f1bc54ff76cc9daf2de86b1a) ([merge request](gitlab-org/security/gitlab!2302))
+- [GitLab Pages Security Updates for 14.9](gitlab-org/security/gitlab@5a5a862c8a9e37ca2ea84133f92b216eaa7cd148) ([merge request](gitlab-org/security/gitlab!2328))
+- [Upgrade swagger-ui dependency](gitlab-org/security/gitlab@afcb570867db61347bb6a4e243bb2557340191be) ([merge request](gitlab-org/security/gitlab!2337))
+- [Modify release link format check to avoid regex if string is too long](gitlab-org/security/gitlab@a3ab0ff9c470c1c6e5b4fd055ddd02dffce32652) ([merge request](gitlab-org/security/gitlab!2243))
+- [Masks variables in error messages](gitlab-org/security/gitlab@94236bbdb8eef6600562bdc4e242e07eaed8c50f) ([merge request](gitlab-org/security/gitlab!2291))
+- [Escape user provided string to prevent XSS](gitlab-org/security/gitlab@03e695d4c34546582b503b3f7712246206b56b99) ([merge request](gitlab-org/security/gitlab!2314))
+- [Monkey patch of RDoc to prevent Ruby segfault](gitlab-org/security/gitlab@14eec4487387bc0c999f1c48b046a3ed3848c5a1) ([merge request](gitlab-org/security/gitlab!2232))
+- [Project import maps members' created_by_id users based on source user ID](gitlab-org/security/gitlab@7fd7ab3f57e8d8b4e0aed42aebe9a8b7436a6255) ([merge request](gitlab-org/security/gitlab!2238))
+- [Redact InvalidURIError error messages](gitlab-org/security/gitlab@0592c182bfd60aee501c4c66f47a71c9469f2bcd) ([merge request](gitlab-org/security/gitlab!2296))
+- [Fix access for approval rules API](gitlab-org/security/gitlab@987e06bacba224519adf94cda73b5a8b2e7b917a) ([merge request](gitlab-org/security/gitlab!2323))
+- [Fix kroki exploit](gitlab-org/security/gitlab@bf056c683af25ec4b94c0efa7166eea399ed6502) ([merge request](gitlab-org/security/gitlab!2277))
+- [Fix blind SSRF when looking up SSH host keys for mirroring](gitlab-org/security/gitlab@3c853a32a73aba15e309d05111b744455a360cca) ([merge request](gitlab-org/security/gitlab!2310))
+- [Escape original content in reference redactor](gitlab-org/security/gitlab@00ee99bc3834d9d59572272064c9ad6abeae5975) ([merge request](gitlab-org/security/gitlab!2318))
+- [Security fix for CI/CD analytics visibility](gitlab-org/security/gitlab@691d69be77ae3c8e0a2598b75ccf336b672fd540) ([merge request](gitlab-org/security/gitlab!2273))
+- [Latest commit exposed through fork of a private project](gitlab-org/security/gitlab@6ca7a3b040edac06b23a697bfc2bf46f457d6b81) ([merge request](gitlab-org/security/gitlab!2271))
+- [Fix Asana integration restricted branch filter](gitlab-org/security/gitlab@4c1db692b4e99fab6cdbb818cf02fb879f6d4886) ([merge request](gitlab-org/security/gitlab!2218))
+- [Revert "JH need more complex passwords"](gitlab-org/security/gitlab@919aa2b28645d49fb71508362a0c61da39893c69) ([merge request](gitlab-org/security/gitlab!2353))
+
 ## 14.8.4 (2022-03-16)
 
 ### Added (1 change)
@@ -1319,6 +1370,32 @@ entry.
 - [Use `ssh_data` gem instead of `net-ssh` and `sshkey` where possible](gitlab-org/gitlab@59a0ee8605d509753c9aec719f8e0da77bcc679d) ([merge request](gitlab-org/gitlab!77424))
 - [Remove feature flag already default enabled](gitlab-org/gitlab@9b7059a4bf9dc2ecdce1910a931cc6967d05b5ad) ([merge request](gitlab-org/gitlab!78238)) **GitLab Enterprise Edition**
 
+## 14.7.7 (2022-03-31)
+
+### Security (21 changes)
+
+- [Update to commonmarker 0.23.4](gitlab-org/security/gitlab@eb4b231173c86901f93b5b7781716b1f7706dad1) ([merge request](gitlab-org/security/gitlab!2283))
+- [Revert merge request approval groups behavior](gitlab-org/security/gitlab@08e3ecced649f6ad241db6de7050b1502f7bef21) ([merge request](gitlab-org/security/gitlab!2333))
+- [Disallow login if password matches a fixed list](gitlab-org/security/gitlab@02a69ab32da1ac67d855de3ee388d0bd2bb6586e) ([merge request](gitlab-org/security/gitlab!2359))
+- [Update devise-two-factor to 4.0.2](gitlab-org/security/gitlab@c9fde96c7780f5b883cd1ac63d7ac3d5f4d78dc6) ([merge request](gitlab-org/security/gitlab!2351))
+- [Limit the number of tags associated with a CI runner](gitlab-org/security/gitlab@00124d5f8ba0d7437d1f6f19b029754bf481185b) ([merge request](gitlab-org/security/gitlab!2305))
+- [GitLab Pages Security Updates for 14.9](gitlab-org/security/gitlab@d335917e233658fa9d4452053469c3582ef38368) ([merge request](gitlab-org/security/gitlab!2325))
+- [Upgrade swagger-ui dependency](gitlab-org/security/gitlab@7a8ce32f70fd0338817705651ee0dbe0a277d5f1) ([merge request](gitlab-org/security/gitlab!2338))
+- [Modify release link format check to avoid regex if string is too long](gitlab-org/security/gitlab@e18dc2be245bca7e192c8536d1ba7de2ad798c43) ([merge request](gitlab-org/security/gitlab!2244))
+- [Masks variables in error messages](gitlab-org/security/gitlab@1706c5cf9b939a6ab0682db7b8945feb851a3f8b) ([merge request](gitlab-org/security/gitlab!2292))
+- [Escape user provided string to prevent XSS](gitlab-org/security/gitlab@c57edf9ab52810d455e41d71bad4e4d12c098cad) ([merge request](gitlab-org/security/gitlab!2315))
+- [Monkey patch of RDoc to prevent Ruby segfault](gitlab-org/security/gitlab@f9e5597d1864d03bf1f0103787becbc84886968d) ([merge request](gitlab-org/security/gitlab!2233))
+- [Project import maps members' created_by_id users based on source user ID](gitlab-org/security/gitlab@3ea1e477e0596f15e040f42b59fa86953d057128) ([merge request](gitlab-org/security/gitlab!2239))
+- [Redact InvalidURIError error messages](gitlab-org/security/gitlab@a42ede835e32f44b68c1affe78a7ee48332bb30a) ([merge request](gitlab-org/security/gitlab!2297))
+- [Fix access for approval rules API](gitlab-org/security/gitlab@b8c3997763d1e041dc2b82e464a99a5b2f15a798) ([merge request](gitlab-org/security/gitlab!2324))
+- [Fix kroki exploit](gitlab-org/security/gitlab@ad123e33510103af4fb00378ef1fc8dae4cacb21) ([merge request](gitlab-org/security/gitlab!2278))
+- [Fix blind SSRF when looking up SSH host keys for mirroring](gitlab-org/security/gitlab@0209f44cb4876f0a9ef13d4c8875a95a0cda1e2f) ([merge request](gitlab-org/security/gitlab!2311))
+- [Escape original content in reference redactor](gitlab-org/security/gitlab@f63861d8fe7b2b8d161162063e7995782cbfada8) ([merge request](gitlab-org/security/gitlab!2319))
+- [Security fix for CI/CD analytics visibility](gitlab-org/security/gitlab@fea6a4ff80862f9dba493405d03d82cf129e8854) ([merge request](gitlab-org/security/gitlab!2274))
+- [Latest commit exposed through fork of a private project](gitlab-org/security/gitlab@b573cea38cdce020e5f25fb9de60e0e506c87a9b) ([merge request](gitlab-org/security/gitlab!2272))
+- [Fix Asana integration restricted branch filter](gitlab-org/security/gitlab@56e2d9ae3de4f587d2c8a5aa111c2922553d6b7b) ([merge request](gitlab-org/security/gitlab!2214))
+- [Revert "JH need more complex passwords"](gitlab-org/security/gitlab@2419522b02700ce98e0c4d6e7bfd4d28b6464506) ([merge request](gitlab-org/security/gitlab!2354))
+
 ## 14.7.6 (2022-03-24)
 
 ### Added (1 change)
diff --git a/GITLAB_PAGES_VERSION b/GITLAB_PAGES_VERSION
index 3ebf789f5a8..43c989b5531 100644
--- a/GITLAB_PAGES_VERSION
+++ b/GITLAB_PAGES_VERSION
@@ -1 +1 @@
-1.56.0
+1.56.1
diff --git a/Gemfile b/Gemfile
index f3283f49d3e..87798951691 100644
--- a/Gemfile
+++ b/Gemfile
@@ -67,7 +67,7 @@ gem 'akismet', '~> 3.0'
 gem 'invisible_captcha', '~> 1.1.0'
 
 # Two-factor authentication
-gem 'devise-two-factor', '~> 4.0.0'
+gem 'devise-two-factor', '~> 4.0.2'
 gem 'rqrcode-rails3', '~> 0.1.7'
 gem 'attr_encrypted', '~> 3.1.0'
 gem 'u2f', '~> 0.2.1'
diff --git a/Gemfile.lock b/Gemfile.lock
index 7fc00cd0004..344810f92a2 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -270,11 +270,11 @@ GEM
       railties (>= 4.1.0)
       responders
       warden (~> 1.2.3)
-    devise-two-factor (4.0.0)
-      activesupport (< 6.2)
+    devise-two-factor (4.0.2)
+      activesupport (< 7.1)
       attr_encrypted (>= 1.3, < 4, != 2)
       devise (~> 4.0)
-      railties (< 6.2)
+      railties (< 7.1)
       rotp (~> 6.0)
     diff-lcs (1.4.4)
     diff_match_patch (0.1.0)
@@ -1458,7 +1458,7 @@ DEPENDENCIES
   derailed_benchmarks
   device_detector
   devise (~> 4.7.2)
-  devise-two-factor (~> 4.0.0)
+  devise-two-factor (~> 4.0.2)
   diff_match_patch (~> 0.1.0)
   diffy (~> 3.3)
   discordrb-webhooks (~> 3.4)
diff --git a/app/assets/javascripts/behaviors/components/diagram_performance_warning.vue b/app/assets/javascripts/behaviors/components/diagram_performance_warning.vue
new file mode 100644
index 00000000000..31b2682b546
--- /dev/null
+++ b/app/assets/javascripts/behaviors/components/diagram_performance_warning.vue
@@ -0,0 +1,25 @@
+<script>
+import { GlAlert } from '@gitlab/ui';
+import { __ } from '~/locale';
+
+export default {
+  i18n: {
+    bodyText: __('Warning: Displaying this diagram might cause performance issues on this page.'),
+    buttonText: __('Display'),
+  },
+  components: {
+    GlAlert,
+  },
+};
+</script>
+
+<template>
+  <gl-alert
+    :primary-button-text="$options.i18n.buttonText"
+    variant="warning"
+    @dismiss="$emit('closeAlert')"
+    @primaryAction="$emit('showImage')"
+  >
+    {{ $options.i18n.bodyText }}
+  </gl-alert>
+</template>
diff --git a/app/assets/javascripts/behaviors/markdown/constants.js b/app/assets/javascripts/behaviors/markdown/constants.js
index b4545d6c6c6..13f8d9ef0cf 100644
--- a/app/assets/javascripts/behaviors/markdown/constants.js
+++ b/app/assets/javascripts/behaviors/markdown/constants.js
@@ -1,3 +1,19 @@
 // https://prosemirror.net/docs/ref/#model.ParseRule.priority
 export const DEFAULT_PARSE_RULE_PRIORITY = 50;
 export const HIGHER_PARSE_RULE_PRIORITY = 1 + DEFAULT_PARSE_RULE_PRIORITY;
+
+export const unrestrictedPages = [
+  // Group wiki
+  'groups:wikis:show',
+  'groups:wikis:edit',
+  'groups:wikis:create',
+
+  // Project wiki
+  'projects:wikis:show',
+  'projects:wikis:edit',
+  'projects:wikis:create',
+
+  // Project files
+  'projects:show',
+  'projects:blob:show',
+];
diff --git a/app/assets/javascripts/behaviors/markdown/render_gfm.js b/app/assets/javascripts/behaviors/markdown/render_gfm.js
index 4bfce12c7c5..5079da9aa02 100644
--- a/app/assets/javascripts/behaviors/markdown/render_gfm.js
+++ b/app/assets/javascripts/behaviors/markdown/render_gfm.js
@@ -1,6 +1,7 @@
 import $ from 'jquery';
 import syntaxHighlight from '~/syntax_highlight';
 import highlightCurrentUser from './highlight_current_user';
+import { renderKroki } from './render_kroki';
 import renderMath from './render_math';
 import renderMermaid from './render_mermaid';
 import renderSandboxedMermaid from './render_sandboxed_mermaid';
@@ -12,6 +13,7 @@ import renderMetrics from './render_metrics';
 //
 $.fn.renderGFM = function renderGFM() {
   syntaxHighlight(this.find('.js-syntax-highlight').get());
+  renderKroki(this.find('.js-render-kroki[hidden]').get());
   renderMath(this.find('.js-render-math'));
   if (gon.features?.sandboxedMermaid) {
     renderSandboxedMermaid(this.find('.js-render-mermaid'));
diff --git a/app/assets/javascripts/behaviors/markdown/render_kroki.js b/app/assets/javascripts/behaviors/markdown/render_kroki.js
new file mode 100644
index 00000000000..abe71694d73
--- /dev/null
+++ b/app/assets/javascripts/behaviors/markdown/render_kroki.js
@@ -0,0 +1,63 @@
+import Vue from 'vue';
+import DiagramPerformanceWarning from '../components/diagram_performance_warning.vue';
+import { unrestrictedPages } from './constants';
+
+/**
+ * Create alert element.
+ *
+ * @param {Element} krokiImage Kroki `img` element
+ * @return {Element} Alert element
+ */
+function createAlert(krokiImage) {
+  const app = new Vue({
+    el: document.createElement('div'),
+    name: 'DiagramPerformanceWarningRoot',
+    render(createElement) {
+      return createElement(DiagramPerformanceWarning, {
+        on: {
+          closeAlert() {
+            app.$destroy();
+            app.$el.remove();
+          },
+          showImage() {
+            krokiImage.removeAttribute('hidden');
+            app.$destroy();
+            app.$el.remove();
+          },
+        },
+      });
+    },
+  });
+
+  return app.$el;
+}
+
+/**
+ * Add warning alert to hidden Kroki images,
+ * or show Kroki image if on an unrestricted page.
+ *
+ * Kroki images are given a hidden attribute by the
+ * backend when the original markdown source is large.
+ *
+ * @param {Array<Element>} krokiImages Array of hidden Kroki `img` elements
+ */
+export function renderKroki(krokiImages) {
+  const pageName = document.querySelector('body').dataset.page;
+  const isUnrestrictedPage = unrestrictedPages.includes(pageName);
+
+  krokiImages.forEach((krokiImage) => {
+    if (isUnrestrictedPage) {
+      krokiImage.removeAttribute('hidden');
+      return;
+    }
+
+    const parent = krokiImage.parentElement;
+
+    // A single Kroki image is processed multiple times for some reason,
+    // so this condition ensures we only create one alert per Kroki image
+    if (!parent.hasAttribute('data-kroki-processed')) {
+      parent.setAttribute('data-kroki-processed', 'true');
+      parent.after(createAlert(krokiImage));
+    }
+  });
+}
diff --git a/app/assets/javascripts/behaviors/markdown/render_mermaid.js b/app/assets/javascripts/behaviors/markdown/render_mermaid.js
index d78c456ed5b..f9cf3af98bb 100644
--- a/app/assets/javascripts/behaviors/markdown/render_mermaid.js
+++ b/app/assets/javascripts/behaviors/markdown/render_mermaid.js
@@ -3,6 +3,7 @@ import { once, countBy } from 'lodash';
 import createFlash from '~/flash';
 import { darkModeEnabled } from '~/lib/utils/color_utils';
 import { __, sprintf } from '~/locale';
+import { unrestrictedPages } from './constants';
 
 // Renders diagrams and flowcharts from text using Mermaid in any element with the
 // `js-render-mermaid` class.
@@ -30,24 +31,6 @@ let renderedMermaidBlocks = 0;
 
 let mermaidModule = {};
 
-// Whitelist pages where we won't impose any restrictions
-// on mermaid rendering
-const WHITELISTED_PAGES = [
-  // Group wiki
-  'groups:wikis:show',
-  'groups:wikis:edit',
-  'groups:wikis:create',
-
-  // Project wiki
-  'projects:wikis:show',
-  'projects:wikis:edit',
-  'projects:wikis:create',
-
-  // Project files
-  'projects:show',
-  'projects:blob:show',
-];
-
 export function initMermaid(mermaid) {
   let theme = 'neutral';
 
@@ -163,7 +146,7 @@ function renderMermaids($els) {
          * up the entire thread and causing a DoS.
          */
         if (
-          !WHITELISTED_PAGES.includes(pageName) &&
+          !unrestrictedPages.includes(pageName) &&
           ((source && source.length > MAX_CHAR_LIMIT) ||
             renderedChars > MAX_CHAR_LIMIT ||
             renderedMermaidBlocks >= MAX_MERMAID_BLOCK_LIMIT ||
diff --git a/app/assets/javascripts/behaviors/markdown/render_sandboxed_mermaid.js b/app/assets/javascripts/behaviors/markdown/render_sandboxed_mermaid.js
index 85a991a1ec9..6922ec9c5a5 100644
--- a/app/assets/javascripts/behaviors/markdown/render_sandboxed_mermaid.js
+++ b/app/assets/javascripts/behaviors/markdown/render_sandboxed_mermaid.js
@@ -9,6 +9,7 @@ import {
 } from '~/lib/utils/url_utility';
 import { darkModeEnabled } from '~/lib/utils/color_utils';
 import { setAttributes } from '~/lib/utils/dom_utils';
+import { unrestrictedPages } from './constants';
 
 // Renders diagrams and flowcharts from text using Mermaid in any element with the
 // `js-render-mermaid` class.
@@ -36,23 +37,6 @@ const BUFFER_IFRAME_HEIGHT = 10;
 const elsProcessingMap = new WeakMap();
 let renderedMermaidBlocks = 0;
 
-// Pages without any restrictions on mermaid rendering
-const PAGES_WITHOUT_RESTRICTIONS = [
-  // Group wiki
-  'groups:wikis:show',
-  'groups:wikis:edit',
-  'groups:wikis:create',
-
-  // Project wiki
-  'projects:wikis:show',
-  'projects:wikis:edit',
-  'projects:wikis:create',
-
-  // Project files
-  'projects:show',
-  'projects:blob:show',
-];
-
 function shouldLazyLoadMermaidBlock(source) {
   /**
    * If source contains `&`, which means that it might
@@ -149,7 +133,7 @@ function renderMermaids($els) {
      * up the entire thread and causing a DoS.
      */
     if (
-      !PAGES_WITHOUT_RESTRICTIONS.includes(pageName) &&
+      !unrestrictedPages.includes(pageName) &&
       ((source && source.length > MAX_CHAR_LIMIT) ||
         renderedChars > MAX_CHAR_LIMIT ||
         renderedMermaidBlocks >= MAX_MERMAID_BLOCK_LIMIT ||
diff --git a/app/assets/javascripts/blob/openapi/index.js b/app/assets/javascripts/blob/openapi/index.js
index b19cc19cb8c..a04da98ff77 100644
--- a/app/assets/javascripts/blob/openapi/index.js
+++ b/app/assets/javascripts/blob/openapi/index.js
@@ -1,6 +1,5 @@
 import { SwaggerUIBundle } from 'swagger-ui-dist';
 import createFlash from '~/flash';
-import { removeParams, updateHistory } from '~/lib/utils/url_utility';
 import { __ } from '~/locale';
 
 export default () => {
@@ -8,14 +7,10 @@ export default () => {
 
   Promise.all([import(/* webpackChunkName: 'openapi' */ 'swagger-ui-dist/swagger-ui.css')])
     .then(() => {
-      // Temporary fix to prevent an XSS attack due to "useUnsafeMarkdown"
-      // Once we upgrade Swagger to "4.0.0", we can safely remove this as it will be deprecated
-      // Follow-up issue: https://gitlab.com/gitlab-org/gitlab/-/issues/339696
-      updateHistory({ url: removeParams(['useUnsafeMarkdown']), replace: true });
       SwaggerUIBundle({
         url: el.dataset.endpoint,
         dom_id: '#js-openapi-viewer',
-        useUnsafeMarkdown: false,
+        deepLinking: true,
       });
     })
     .catch((error) => {
diff --git a/app/assets/javascripts/crm/components/contact_form.vue b/app/assets/javascripts/crm/components/contact_form.vue
deleted file mode 100644
index 81ae5c246be..00000000000
--- a/app/assets/javascripts/crm/components/contact_form.vue
+++ /dev/null
@@ -1,224 +0,0 @@
-<script>
-import { GlAlert, GlButton, GlDrawer, GlFormGroup, GlFormInput } from '@gitlab/ui';
-import { produce } from 'immer';
-import { __, s__ } from '~/locale';
-import { convertToGraphQLId } from '~/graphql_shared/utils';
-import { TYPE_GROUP } from '~/graphql_shared/constants';
-import createContactMutation from './queries/create_contact.mutation.graphql';
-import updateContactMutation from './queries/update_contact.mutation.graphql';
-import getGroupContactsQuery from './queries/get_group_contacts.query.graphql';
-
-export default {
-  components: {
-    GlAlert,
-    GlButton,
-    GlDrawer,
-    GlFormGroup,
-    GlFormInput,
-  },
-  inject: ['groupFullPath', 'groupId'],
-  props: {
-    drawerOpen: {
-      type: Boolean,
-      required: true,
-    },
-    contact: {
-      type: Object,
-      required: false,
-      default: () => {},
-    },
-  },
-  data() {
-    return {
-      firstName: '',
-      lastName: '',
-      phone: '',
-      email: '',
-      description: '',
-      submitting: false,
-      errorMessages: [],
-    };
-  },
-  computed: {
-    invalid() {
-      const { firstName, lastName, email } = this;
-
-      return firstName.trim() === '' || lastName.trim() === '' || email.trim() === '';
-    },
-    editMode() {
-      return Boolean(this.contact);
-    },
-    title() {
-      return this.editMode ? this.$options.i18n.editTitle : this.$options.i18n.newTitle;
-    },
-    buttonLabel() {
-      return this.editMode
-        ? this.$options.i18n.editButtonLabel
-        : this.$options.i18n.createButtonLabel;
-    },
-    mutation() {
-      return this.editMode ? updateContactMutation : createContactMutation;
-    },
-    variables() {
-      const { contact, firstName, lastName, phone, email, description, editMode, groupId } = this;
-
-      const variables = {
-        input: {
-          firstName,
-          lastName,
-          phone,
-          email,
-          description,
-        },
-      };
-
-      if (editMode) {
-        variables.input.id = contact.id;
-      } else {
-        variables.input.groupId = convertToGraphQLId(TYPE_GROUP, groupId);
-      }
-
-      return variables;
-    },
-  },
-  mounted() {
-    if (this.editMode) {
-      const { contact } = this;
-
-      this.firstName = contact.firstName || '';
-      this.lastName = contact.lastName || '';
-      this.phone = contact.phone || '';
-      this.email = contact.email || '';
-      this.description = contact.description || '';
-    }
-  },
-  methods: {
-    save() {
-      const { mutation, variables, updateCache, close } = this;
-
-      this.submitting = true;
-
-      return this.$apollo
-        .mutate({
-          mutation,
-          variables,
-          update: updateCache,
-        })
-        .then(({ data }) => {
-          if (
-            data.customerRelationsContactCreate?.errors.length === 0 ||
-            data.customerRelationsContactUpdate?.errors.length === 0
-          ) {
-            close(true);
-          }
-
-          this.submitting = false;
-        })
-        .catch(() => {
-          this.errorMessages = [this.$options.i18n.somethingWentWrong];
-          this.submitting = false;
-        });
-    },
-    close(success) {
-      this.$emit('close', success);
-    },
-    updateCache(store, { data }) {
-      const mutationData =
-        data.customerRelationsContactCreate || data.customerRelationsContactUpdate;
-
-      if (mutationData?.errors.length > 0) {
-        this.errorMessages = mutationData.errors;
-        return;
-      }
-
-      const queryArgs = {
-        query: getGroupContactsQuery,
-        variables: { groupFullPath: this.groupFullPath },
-      };
-
-      const sourceData = store.readQuery(queryArgs);
-
-      queryArgs.data = produce(sourceData, (draftState) => {
-        draftState.group.contacts.nodes = [
-          ...sourceData.group.contacts.nodes.filter(({ id }) => id !== this.contact?.id),
-          mutationData.contact,
-        ];
-      });
-
-      store.writeQuery(queryArgs);
-    },
-    getDrawerHeaderHeight() {
-      const wrapperEl = document.querySelector('.content-wrapper');
-
-      if (wrapperEl) {
-        return `${wrapperEl.offsetTop}px`;
-      }
-
-      return '';
-    },
-  },
-  i18n: {
-    createButtonLabel: s__('Crm|Create new contact'),
-    editButtonLabel: __('Save changes'),
-    cancel: __('Cancel'),
-    firstName: s__('Crm|First name'),
-    lastName: s__('Crm|Last name'),
-    email: s__('Crm|Email'),
-    phone: s__('Crm|Phone number (optional)'),
-    description: s__('Crm|Description (optional)'),
-    newTitle: s__('Crm|New contact'),
-    editTitle: s__('Crm|Edit contact'),
-    somethingWentWrong: __('Something went wrong. Please try again.'),
-  },
-};
-</script>
-
-<template>
-  <gl-drawer
-    class="gl-drawer-responsive"
-    :open="drawerOpen"
-    :header-height="getDrawerHeaderHeight()"
-    @close="close(false)"
-  >
-    <template #title>
-      <h3>{{ title }}</h3>
-    </template>
-    <gl-alert v-if="errorMessages.length" variant="danger" @dismiss="errorMessages = []">
-      <ul class="gl-mb-0! gl-ml-5">
-        <li v-for="error in errorMessages" :key="error">
-          {{ error }}
-        </li>
-      </ul>
-    </gl-alert>
-    <form @submit.prevent="save">
-      <gl-form-group :label="$options.i18n.firstName" label-for="contact-first-name">
-        <gl-form-input id="contact-first-name" v-model="firstName" />
-      </gl-form-group>
-      <gl-form-group :label="$options.i18n.lastName" label-for="contact-last-name">
-        <gl-form-input id="contact-last-name" v-model="lastName" />
-      </gl-form-group>
-      <gl-form-group :label="$options.i18n.email" label-for="contact-email">
-        <gl-form-input id="contact-email" v-model="email" />
-      </gl-form-group>
-      <gl-form-group :label="$options.i18n.phone" label-for="contact-phone">
-        <gl-form-input id="contact-phone" v-model="phone" />
-      </gl-form-group>
-      <gl-form-group :label="$options.i18n.description" label-for="contact-description">
-        <gl-form-input id="contact-description" v-model="description" />
-      </gl-form-group>
-      <span class="gl-float-right">
-        <gl-button data-testid="cancel-button" @click="close(false)">
-          {{ $options.i18n.cancel }}
-        </gl-button>
-        <gl-button
-          variant="confirm"
-          :disabled="invalid"
-          :loading="submitting"
-          data-testid="save-contact-button"
-          type="submit"
-          >{{ buttonLabel }}</gl-button
-        >
-      </span>
-    </form>
-  </gl-drawer>
-</template>
diff --git a/app/assets/javascripts/crm/components/form.vue b/app/assets/javascripts/crm/components/form.vue
index b24de1e95e8..4f94898ff63 100644
--- a/app/assets/javascripts/crm/components/form.vue
+++ b/app/assets/javascripts/crm/components/form.vue
@@ -61,11 +61,6 @@ export default {
       required: false,
       default: null,
     },
-    existingModel: {
-      type: Object,
-      required: false,
-      default: () => ({}),
-    },
     additionalCreateParams: {
       type: Object,
       required: false,
@@ -76,25 +71,42 @@ export default {
       required: false,
       default: () => MSG_SAVE_CHANGES,
     },
+    existingId: {
+      type: String,
+      required: false,
+      default: null,
+    },
   },
   data() {
-    const initialModel = this.fields.reduce(
-      (map, field) =>
-        Object.assign(map, {
-          [field.name]: this.existingModel ? this.existingModel[field.name] : null,
-        }),
-      {},
-    );
-
     return {
-      model: initialModel,
+      model: null,
       submitting: false,
       errorMessages: [],
+      records: [],
+      loading: true,
     };
   },
+  apollo: {
+    records: {
+      query() {
+        return this.getQuery.query;
+      },
+      variables() {
+        return this.getQuery.variables;
+      },
+      update(data) {
+        this.records = getPropValueByPath(data, this.getQueryNodePath).nodes || [];
+        this.setInitialModel();
+        this.loading = false;
+      },
+      error() {
+        this.errorMessages = [MSG_ERROR];
+      },
+    },
+  },
   computed: {
     isEditMode() {
-      return this.existingModel?.id;
+      return this.existingId;
     },
     isInvalid() {
       const { fields, model } = this;
@@ -115,13 +127,24 @@ export default {
       );
 
       if (isEditMode) {
-        return { input: { id: this.existingModel.id, ...variables } };
+        return { input: { id: this.existingId, ...variables } };
       }
 
       return { input: { ...additionalCreateParams, ...variables } };
     },
   },
   methods: {
+    setInitialModel() {
+      const existingModel = this.records.find(({ id }) => id === this.existingId);
+
+      this.model = this.fields.reduce(
+        (map, field) =>
+          Object.assign(map, {
+            [field.name]: !this.isEditMode || !existingModel ? null : existingModel[field.name],
+          }),
+        {},
+      );
+    },
     formatValue(model, field) {
       if (!isEmpty(model[field.name]) && field.input?.type === 'number') {
         return parseFloat(model[field.name]);
@@ -173,7 +196,7 @@ export default {
       const sourceData = store.readQuery(getQuery);
 
       const newData = produce(sourceData, (draftState) => {
-        getPropValueByPath(draftState, getQueryNodePath).nodes.push(getFirstPropertyValue(result));
+        getPropValueByPath(draftState, getQueryNodePath).nodes.push(this.getPayload(result));
       });
 
       store.writeQuery({
@@ -185,6 +208,14 @@ export default {
       const optionalSuffix = field.required ? '' : ` ${MSG_OPTIONAL}`;
       return field.label + optionalSuffix;
     },
+    getPayload(data) {
+      if (!data) return null;
+
+      const keys = Object.keys(data);
+      if (keys[0] === '__typename') return data[keys[1]];
+
+      return data[keys[0]];
+    },
   },
   MSG_CANCEL,
   INDEX_ROUTE_NAME,
@@ -192,7 +223,7 @@ export default {
 </script>
 
 <template>
-  <mounting-portal mount-to="#js-crm-form-portal" append>
+  <mounting-portal v-if="!loading" mount-to="#js-crm-form-portal" append>
     <gl-drawer class="gl-drawer-responsive gl-absolute" :open="drawerOpen" @close="close(false)">
       <template #title>
         <h3>{{ title }}</h3>
diff --git a/app/assets/javascripts/crm/components/new_organization_form.vue b/app/assets/javascripts/crm/components/new_organization_form.vue
deleted file mode 100644
index 3b11edc6935..00000000000
--- a/app/assets/javascripts/crm/components/new_organization_form.vue
+++ /dev/null
@@ -1,164 +0,0 @@
-<script>
-import { GlAlert, GlButton, GlDrawer, GlFormGroup, GlFormInput } from '@gitlab/ui';
-import { produce } from 'immer';
-import { __, s__ } from '~/locale';
-import { convertToGraphQLId } from '~/graphql_shared/utils';
-import { TYPE_GROUP } from '~/graphql_shared/constants';
-import createOrganization from './queries/create_organization.mutation.graphql';
-import getGroupOrganizationsQuery from './queries/get_group_organizations.query.graphql';
-
-export default {
-  components: {
-    GlAlert,
-    GlButton,
-    GlDrawer,
-    GlFormGroup,
-    GlFormInput,
-  },
-  inject: ['groupFullPath', 'groupId'],
-  props: {
-    drawerOpen: {
-      type: Boolean,
-      required: true,
-    },
-  },
-  data() {
-    return {
-      name: '',
-      defaultRate: null,
-      description: '',
-      submitting: false,
-      errorMessages: [],
-    };
-  },
-  computed: {
-    invalid() {
-      return this.name.trim() === '';
-    },
-  },
-  methods: {
-    save() {
-      this.submitting = true;
-      return this.$apollo
-        .mutate({
-          mutation: createOrganization,
-          variables: {
-            input: {
-              groupId: convertToGraphQLId(TYPE_GROUP, this.groupId),
-              name: this.name,
-              defaultRate: this.defaultRate ? parseFloat(this.defaultRate) : null,
-              description: this.description,
-            },
-          },
-          update: this.updateCache,
-        })
-        .then(({ data }) => {
-          if (data.customerRelationsOrganizationCreate.errors.length === 0) this.close(true);
-
-          this.submitting = false;
-        })
-        .catch(() => {
-          this.errorMessages = [this.$options.i18n.somethingWentWrong];
-          this.submitting = false;
-        });
-    },
-    close(success) {
-      this.$emit('close', success);
-    },
-    updateCache(store, { data: { customerRelationsOrganizationCreate } }) {
-      if (customerRelationsOrganizationCreate.errors.length > 0) {
-        this.errorMessages = customerRelationsOrganizationCreate.errors;
-        return;
-      }
-
-      const variables = {
-        groupFullPath: this.groupFullPath,
-      };
-      const sourceData = store.readQuery({
-        query: getGroupOrganizationsQuery,
-        variables,
-      });
-
-      const data = produce(sourceData, (draftState) => {
-        draftState.group.organizations.nodes = [
-          ...sourceData.group.organizations.nodes,
-          customerRelationsOrganizationCreate.organization,
-        ];
-      });
-
-      store.writeQuery({
-        query: getGroupOrganizationsQuery,
-        variables,
-        data,
-      });
-    },
-    getDrawerHeaderHeight() {
-      const wrapperEl = document.querySelector('.content-wrapper');
-
-      if (wrapperEl) {
-        return `${wrapperEl.offsetTop}px`;
-      }
-
-      return '';
-    },
-  },
-  i18n: {
-    buttonLabel: s__('Crm|Create organization'),
-    cancel: __('Cancel'),
-    name: __('Name'),
-    defaultRate: s__('Crm|Default rate (optional)'),
-    description: __('Description (optional)'),
-    title: s__('Crm|New Organization'),
-    somethingWentWrong: __('Something went wrong. Please try again.'),
-  },
-};
-</script>
-
-<template>
-  <gl-drawer
-    class="gl-drawer-responsive"
-    :open="drawerOpen"
-    :header-height="getDrawerHeaderHeight()"
-    @close="close(false)"
-  >
-    <template #title>
-      <h4>{{ $options.i18n.title }}</h4>
-    </template>
-    <gl-alert v-if="errorMessages.length" variant="danger" @dismiss="errorMessages = []">
-      <ul class="gl-mb-0! gl-ml-5">
-        <li v-for="error in errorMessages" :key="error">
-          {{ error }}
-        </li>
-      </ul>
-    </gl-alert>
-    <form @submit.prevent="save">
-      <gl-form-group :label="$options.i18n.name" label-for="organization-name">
-        <gl-form-input id="organization-name" v-model="name" />
-      </gl-form-group>
-      <gl-form-group :label="$options.i18n.defaultRate" label-for="organization-default-rate">
-        <gl-form-input
-          id="organization-default-rate"
-          v-model="defaultRate"
-          type="number"
-          step="0.01"
-        />
-      </gl-form-group>
-      <gl-form-group :label="$options.i18n.description" label-for="organization-description">
-        <gl-form-input id="organization-description" v-model="description" />
-      </gl-form-group>
-      <span class="gl-float-right">
-        <gl-button data-testid="cancel-button" @click="close(false)">
-          {{ $options.i18n.cancel }}
-        </gl-button>
-        <gl-button
-          variant="confirm"
-          :disabled="invalid"
-          :loading="submitting"
-          data-testid="create-new-organization-button"
-          type="submit"
-          >{{ $options.i18n.buttonLabel }}</gl-button
-        >
-      </span>
-    </form>
-  </gl-drawer>
-</template>
diff --git a/app/assets/javascripts/crm/contacts_bundle.js b/app/assets/javascripts/crm/contacts/bundle.js
similarity index 100%
rename from app/assets/javascripts/crm/contacts_bundle.js
rename to app/assets/javascripts/crm/contacts/bundle.js
diff --git a/app/assets/javascripts/crm/contacts/components/contact_form_wrapper.vue b/app/assets/javascripts/crm/contacts/components/contact_form_wrapper.vue
new file mode 100644
index 00000000000..58eaabfbb7f
--- /dev/null
+++ b/app/assets/javascripts/crm/contacts/components/contact_form_wrapper.vue
@@ -0,0 +1,78 @@
+<script>
+import { s__, __ } from '~/locale';
+import { convertToGraphQLId } from '~/graphql_shared/utils';
+import { TYPE_CRM_CONTACT, TYPE_GROUP } from '~/graphql_shared/constants';
+import ContactForm from '../../components/form.vue';
+import getGroupContactsQuery from './graphql/get_group_contacts.query.graphql';
+import createContactMutation from './graphql/create_contact.mutation.graphql';
+import updateContactMutation from './graphql/update_contact.mutation.graphql';
+
+export default {
+  components: {
+    ContactForm,
+  },
+  inject: ['groupFullPath', 'groupId'],
+  props: {
+    isEditMode: {
+      type: Boolean,
+      required: false,
+      default: false,
+    },
+  },
+  computed: {
+    contactGraphQLId() {
+      if (!this.isEditMode) return null;
+
+      return convertToGraphQLId(TYPE_CRM_CONTACT, this.$route.params.id);
+    },
+    groupGraphQLId() {
+      return convertToGraphQLId(TYPE_GROUP, this.groupId);
+    },
+    mutation() {
+      if (this.isEditMode) return updateContactMutation;
+
+      return createContactMutation;
+    },
+    getQuery() {
+      return {
+        query: getGroupContactsQuery,
+        variables: { groupFullPath: this.groupFullPath },
+      };
+    },
+    title() {
+      if (this.isEditMode) return s__('Crm|Edit contact');
+
+      return s__('Crm|New contact');
+    },
+    successMessage() {
+      if (this.isEditMode) return s__('Crm|Contact has been updated.');
+
+      return s__('Crm|Contact has been added.');
+    },
+    additionalCreateParams() {
+      return { groupId: this.groupGraphQLId };
+    },
+  },
+  fields: [
+    { name: 'firstName', label: __('First name'), required: true },
+    { name: 'lastName', label: __('Last name'), required: true },
+    { name: 'email', label: __('Email'), required: true },
+    { name: 'phone', label: __('Phone') },
+    { name: 'description', label: __('Description') },
+  ],
+};
+</script>
+
+<template>
+  <contact-form
+    :drawer-open="true"
+    :get-query="getQuery"
+    get-query-node-path="group.contacts"
+    :mutation="mutation"
+    :additional-create-params="additionalCreateParams"
+    :existing-id="contactGraphQLId"
+    :fields="$options.fields"
+    :title="title"
+    :success-message="successMessage"
+  />
+</template>
diff --git a/app/assets/javascripts/crm/components/contacts_root.vue b/app/assets/javascripts/crm/contacts/components/contacts_root.vue
similarity index 55%
rename from app/assets/javascripts/crm/components/contacts_root.vue
rename to app/assets/javascripts/crm/contacts/components/contacts_root.vue
index 178ce84c64d..17be3800256 100644
--- a/app/assets/javascripts/crm/components/contacts_root.vue
+++ b/app/assets/javascripts/crm/contacts/components/contacts_root.vue
@@ -2,11 +2,9 @@
 import { GlAlert, GlButton, GlLoadingIcon, GlTable, GlTooltipDirective } from '@gitlab/ui';
 import { parseBoolean } from '~/lib/utils/common_utils';
 import { s__, __ } from '~/locale';
-import { convertToGraphQLId, getIdFromGraphQLId } from '~/graphql_shared/utils';
-import { TYPE_CRM_CONTACT } from '~/graphql_shared/constants';
-import { INDEX_ROUTE_NAME, NEW_ROUTE_NAME, EDIT_ROUTE_NAME } from '../constants';
-import getGroupContactsQuery from './queries/get_group_contacts.query.graphql';
-import ContactForm from './contact_form.vue';
+import { getIdFromGraphQLId } from '~/graphql_shared/utils';
+import { EDIT_ROUTE_NAME, NEW_ROUTE_NAME } from '../../constants';
+import getGroupContactsQuery from './graphql/get_group_contacts.query.graphql';
 
 export default {
   components: {
@@ -14,12 +12,11 @@ export default {
     GlButton,
     GlLoadingIcon,
     GlTable,
-    ContactForm,
   },
   directives: {
     GlTooltip: GlTooltipDirective,
   },
-  inject: ['groupFullPath', 'groupIssuesPath', 'canAdminCrmContact'],
+  inject: ['canAdminCrmContact', 'groupFullPath', 'groupIssuesPath'],
   data() {
     return {
       contacts: [],
@@ -48,50 +45,20 @@ export default {
     isLoading() {
       return this.$apollo.queries.contacts.loading;
     },
-    showNewForm() {
-      return this.$route.name === NEW_ROUTE_NAME;
-    },
-    showEditForm() {
-      return !this.isLoading && this.$route.name === EDIT_ROUTE_NAME;
-    },
     canAdmin() {
       return parseBoolean(this.canAdminCrmContact);
     },
-    editingContact() {
-      return this.contacts.find(
-        (contact) => contact.id === convertToGraphQLId(TYPE_CRM_CONTACT, this.$route.params.id),
-      );
-    },
   },
   methods: {
     extractContacts(data) {
       const contacts = data?.group?.contacts?.nodes || [];
       return contacts.slice().sort((a, b) => a.firstName.localeCompare(b.firstName));
     },
-    displayNewForm() {
-      if (this.showNewForm) return;
-
-      this.$router.push({ name: NEW_ROUTE_NAME });
-    },
-    hideNewForm(success) {
-      if (success) this.$toast.show(s__('Crm|Contact has been added'));
-
-      this.$router.replace({ name: INDEX_ROUTE_NAME });
-    },
-    hideEditForm(success) {
-      if (success) this.$toast.show(s__('Crm|Contact has been updated'));
-
-      this.editingContactId = 0;
-      this.$router.replace({ name: INDEX_ROUTE_NAME });
-    },
     getIssuesPath(path, value) {
       return `${path}?scope=all&state=opened&crm_contact_id=${value}`;
     },
-    edit(value) {
-      if (this.showEditForm) return;
-
-      this.editingContactId = value;
-      this.$router.push({ name: EDIT_ROUTE_NAME, params: { id: value } });
+    getEditRoute(id) {
+      return { name: this.$options.EDIT_ROUTE_NAME, params: { id } };
     },
   },
   fields: [
@@ -119,10 +86,12 @@ export default {
     emptyText: s__('Crm|No contacts found'),
     issuesButtonLabel: __('View issues'),
     editButtonLabel: __('Edit'),
-    title: s__('Crm|Customer Relations Contacts'),
+    title: s__('Crm|Customer relations contacts'),
     newContact: s__('Crm|New contact'),
     errorText: __('Something went wrong. Please try again.'),
   },
+  EDIT_ROUTE_NAME,
+  NEW_ROUTE_NAME,
 };
 </script>
 
@@ -137,24 +106,15 @@ export default {
       <h2 class="gl-font-size-h2 gl-my-0">
         {{ $options.i18n.title }}
       </h2>
-      <div class="gl-display-none gl-md-display-flex gl-align-items-center gl-justify-content-end">
-        <gl-button
-          v-if="canAdmin"
-          variant="confirm"
-          data-testid="new-contact-button"
-          @click="displayNewForm"
-        >
-          {{ $options.i18n.newContact }}
-        </gl-button>
+      <div v-if="canAdmin">
+        <router-link :to="{ name: $options.NEW_ROUTE_NAME }">
+          <gl-button variant="confirm" data-testid="new-contact-button">
+            {{ $options.i18n.newContact }}
+          </gl-button>
+        </router-link>
       </div>
     </div>
-    <contact-form v-if="showNewForm" :drawer-open="showNewForm" @close="hideNewForm" />
-    <contact-form
-      v-if="showEditForm"
-      :contact="editingContact"
-      :drawer-open="showEditForm"
-      @close="hideEditForm"
-    />
+    <router-view />
     <gl-loading-icon v-if="isLoading" class="gl-mt-5" size="lg" />
     <gl-table
       v-else
@@ -164,23 +124,24 @@ export default {
       :empty-text="$options.i18n.emptyText"
       show-empty
     >
-      <template #cell(id)="data">
+      <template #cell(id)="{ value: id }">
         <gl-button
           v-gl-tooltip.hover.bottom="$options.i18n.issuesButtonLabel"
           class="gl-mr-3"
           data-testid="issues-link"
           icon="issues"
           :aria-label="$options.i18n.issuesButtonLabel"
-          :href="getIssuesPath(groupIssuesPath, data.value)"
-        />
-        <gl-button
-          v-if="canAdmin"
-          v-gl-tooltip.hover.bottom="$options.i18n.editButtonLabel"
-          data-testid="edit-contact-button"
-          icon="pencil"
-          :aria-label="$options.i18n.editButtonLabel"
-          @click="edit(data.value)"
+          :href="getIssuesPath(groupIssuesPath, id)"
         />
+        <router-link :to="getEditRoute(id)">
+          <gl-button
+            v-if="canAdmin"
+            v-gl-tooltip.hover.bottom="$options.i18n.editButtonLabel"
+            data-testid="edit-contact-button"
+            icon="pencil"
+            :aria-label="$options.i18n.editButtonLabel"
+          />
+        </router-link>
       </template>
     </gl-table>
   </div>
diff --git a/app/assets/javascripts/crm/components/queries/create_contact.mutation.graphql b/app/assets/javascripts/crm/contacts/components/graphql/create_contact.mutation.graphql
similarity index 100%
rename from app/assets/javascripts/crm/components/queries/create_contact.mutation.graphql
rename to app/assets/javascripts/crm/contacts/components/graphql/create_contact.mutation.graphql
diff --git a/app/assets/javascripts/crm/components/queries/crm_contact_fields.fragment.graphql b/app/assets/javascripts/crm/contacts/components/graphql/crm_contact_fields.fragment.graphql
similarity index 100%
rename from app/assets/javascripts/crm/components/queries/crm_contact_fields.fragment.graphql
rename to app/assets/javascripts/crm/contacts/components/graphql/crm_contact_fields.fragment.graphql
diff --git a/app/assets/javascripts/crm/components/queries/get_group_contacts.query.graphql b/app/assets/javascripts/crm/contacts/components/graphql/get_group_contacts.query.graphql
similarity index 100%
rename from app/assets/javascripts/crm/components/queries/get_group_contacts.query.graphql
rename to app/assets/javascripts/crm/contacts/components/graphql/get_group_contacts.query.graphql
diff --git a/app/assets/javascripts/crm/components/queries/update_contact.mutation.graphql b/app/assets/javascripts/crm/contacts/components/graphql/update_contact.mutation.graphql
similarity index 100%
rename from app/assets/javascripts/crm/components/queries/update_contact.mutation.graphql
rename to app/assets/javascripts/crm/contacts/components/graphql/update_contact.mutation.graphql
diff --git a/app/assets/javascripts/crm/routes.js b/app/assets/javascripts/crm/contacts/routes.js
similarity index 56%
rename from app/assets/javascripts/crm/routes.js
rename to app/assets/javascripts/crm/contacts/routes.js
index 12aa17d73b6..18768e1c775 100644
--- a/app/assets/javascripts/crm/routes.js
+++ b/app/assets/javascripts/crm/contacts/routes.js
@@ -1,4 +1,5 @@
-import { INDEX_ROUTE_NAME, NEW_ROUTE_NAME, EDIT_ROUTE_NAME } from './constants';
+import { INDEX_ROUTE_NAME, NEW_ROUTE_NAME, EDIT_ROUTE_NAME } from '../constants';
+import ContactFormWrapper from './components/contact_form_wrapper.vue';
 
 export default [
   {
@@ -8,9 +9,12 @@ export default [
   {
     name: NEW_ROUTE_NAME,
     path: '/new',
+    component: ContactFormWrapper,
   },
   {
     name: EDIT_ROUTE_NAME,
     path: '/:id/edit',
+    component: ContactFormWrapper,
+    props: { isEditMode: true },
   },
 ];
diff --git a/app/assets/javascripts/crm/organizations_bundle.js b/app/assets/javascripts/crm/organizations/bundle.js
similarity index 100%
rename from app/assets/javascripts/crm/organizations_bundle.js
rename to app/assets/javascripts/crm/organizations/bundle.js
diff --git a/app/assets/javascripts/crm/components/queries/create_organization.mutation.graphql b/app/assets/javascripts/crm/organizations/components/graphql/create_organization.mutation.graphql
similarity index 100%
rename from app/assets/javascripts/crm/components/queries/create_organization.mutation.graphql
rename to app/assets/javascripts/crm/organizations/components/graphql/create_organization.mutation.graphql
diff --git a/app/assets/javascripts/crm/components/queries/crm_organization_fields.fragment.graphql b/app/assets/javascripts/crm/organizations/components/graphql/crm_organization_fields.fragment.graphql
similarity index 100%
rename from app/assets/javascripts/crm/components/queries/crm_organization_fields.fragment.graphql
rename to app/assets/javascripts/crm/organizations/components/graphql/crm_organization_fields.fragment.graphql
diff --git a/app/assets/javascripts/crm/components/queries/get_group_organizations.query.graphql b/app/assets/javascripts/crm/organizations/components/graphql/get_group_organizations.query.graphql
similarity index 100%
rename from app/assets/javascripts/crm/components/queries/get_group_organizations.query.graphql
rename to app/assets/javascripts/crm/organizations/components/graphql/get_group_organizations.query.graphql
diff --git a/app/assets/javascripts/crm/organizations/components/graphql/update_organization.mutation.graphql b/app/assets/javascripts/crm/organizations/components/graphql/update_organization.mutation.graphql
new file mode 100644
index 00000000000..a4c46d1f0fa
--- /dev/null
+++ b/app/assets/javascripts/crm/organizations/components/graphql/update_organization.mutation.graphql
@@ -0,0 +1,10 @@
+#import "./crm_organization_fields.fragment.graphql"
+
+mutation updateOrganization($input: CustomerRelationsOrganizationUpdateInput!) {
+  customerRelationsOrganizationUpdate(input: $input) {
+    organization {
+      ...OrganizationFragment
+    }
+    errors
+  }
+}
diff --git a/app/assets/javascripts/crm/organizations/components/organization_form_wrapper.vue b/app/assets/javascripts/crm/organizations/components/organization_form_wrapper.vue
new file mode 100644
index 00000000000..38468e1f4e4
--- /dev/null
+++ b/app/assets/javascripts/crm/organizations/components/organization_form_wrapper.vue
@@ -0,0 +1,80 @@
+<script>
+import { s__, __ } from '~/locale';
+import { convertToGraphQLId } from '~/graphql_shared/utils';
+import { TYPE_CRM_ORGANIZATION, TYPE_GROUP } from '~/graphql_shared/constants';
+import OrganizationForm from '../../components/form.vue';
+import getGroupOrganizationsQuery from './graphql/get_group_organizations.query.graphql';
+import createOrganizationMutation from './graphql/create_organization.mutation.graphql';
+import updateOrganizationMutation from './graphql/update_organization.mutation.graphql';
+
+export default {
+  components: {
+    OrganizationForm,
+  },
+  inject: ['groupFullPath', 'groupId'],
+  props: {
+    isEditMode: {
+      type: Boolean,
+      required: false,
+      default: false,
+    },
+  },
+  computed: {
+    organizationGraphQLId() {
+      if (!this.isEditMode) return null;
+
+      return convertToGraphQLId(TYPE_CRM_ORGANIZATION, this.$route.params.id);
+    },
+    groupGraphQLId() {
+      return convertToGraphQLId(TYPE_GROUP, this.groupId);
+    },
+    mutation() {
+      if (this.isEditMode) return updateOrganizationMutation;
+
+      return createOrganizationMutation;
+    },
+    getQuery() {
+      return {
+        query: getGroupOrganizationsQuery,
+        variables: { groupFullPath: this.groupFullPath },
+      };
+    },
+    title() {
+      if (this.isEditMode) return s__('Crm|Edit organization');
+
+      return s__('Crm|New organization');
+    },
+    successMessage() {
+      if (this.isEditMode) return s__('Crm|Organization has been updated.');
+
+      return s__('Crm|Organization has been added.');
+    },
+    additionalCreateParams() {
+      return { groupId: this.groupGraphQLId };
+    },
+  },
+  fields: [
+    { name: 'name', label: __('Name'), required: true },
+    {
+      name: 'defaultRate',
+      label: s__('Crm|Default rate'),
+      input: { type: 'number', step: '0.01' },
+    },
+    { name: 'description', label: __('Description') },
+  ],
+};
+</script>
+
+<template>
+  <organization-form
+    :drawer-open="true"
+    :get-query="getQuery"
+    get-query-node-path="group.organizations"
+    :mutation="mutation"
+    :additional-create-params="additionalCreateParams"
+    :existing-id="organizationGraphQLId"
+    :fields="$options.fields"
+    :title="title"
+    :success-message="successMessage"
+  />
+</template>
diff --git a/app/assets/javascripts/crm/components/organizations_root.vue b/app/assets/javascripts/crm/organizations/components/organizations_root.vue
similarity index 72%
rename from app/assets/javascripts/crm/components/organizations_root.vue
rename to app/assets/javascripts/crm/organizations/components/organizations_root.vue
index 9370c6377e9..522e29eb2af 100644
--- a/app/assets/javascripts/crm/components/organizations_root.vue
+++ b/app/assets/javascripts/crm/organizations/components/organizations_root.vue
@@ -3,9 +3,8 @@ import { GlAlert, GlButton, GlLoadingIcon, GlTable, GlTooltipDirective } from '@
 import { parseBoolean } from '~/lib/utils/common_utils';
 import { s__, __ } from '~/locale';
 import { getIdFromGraphQLId } from '~/graphql_shared/utils';
-import { INDEX_ROUTE_NAME, NEW_ROUTE_NAME } from '../constants';
-import getGroupOrganizationsQuery from './queries/get_group_organizations.query.graphql';
-import NewOrganizationForm from './new_organization_form.vue';
+import { EDIT_ROUTE_NAME, NEW_ROUTE_NAME } from '../../constants';
+import getGroupOrganizationsQuery from './graphql/get_group_organizations.query.graphql';
 
 export default {
   components: {
@@ -13,7 +12,6 @@ export default {
     GlButton,
     GlLoadingIcon,
     GlTable,
-    NewOrganizationForm,
   },
   directives: {
     GlTooltip: GlTooltipDirective,
@@ -21,8 +19,8 @@ export default {
   inject: ['canAdminCrmOrganization', 'groupFullPath', 'groupIssuesPath'],
   data() {
     return {
-      error: false,
       organizations: [],
+      error: false,
     };
   },
   apollo: {
@@ -47,10 +45,7 @@ export default {
     isLoading() {
       return this.$apollo.queries.organizations.loading;
     },
-    showNewForm() {
-      return this.$route.name === NEW_ROUTE_NAME;
-    },
-    canCreateNew() {
+    canAdmin() {
       return parseBoolean(this.canAdminCrmOrganization);
     },
   },
@@ -62,15 +57,8 @@ export default {
     getIssuesPath(path, value) {
       return `${path}?scope=all&state=opened&crm_organization_id=${value}`;
     },
-    displayNewForm() {
-      if (this.showNewForm) return;
-
-      this.$router.push({ name: NEW_ROUTE_NAME });
-    },
-    hideNewForm(success) {
-      if (success) this.$toast.show(this.$options.i18n.organizationAdded);
-
-      this.$router.replace({ name: INDEX_ROUTE_NAME });
+    getEditRoute(id) {
+      return { name: this.$options.EDIT_ROUTE_NAME, params: { id } };
     },
   },
   fields: [
@@ -79,7 +67,7 @@ export default {
     { key: 'description', sortable: true },
     {
       key: 'id',
-      label: __('Issues'),
+      label: '',
       formatter: (id) => {
         return getIdFromGraphQLId(id);
       },
@@ -88,11 +76,13 @@ export default {
   i18n: {
     emptyText: s__('Crm|No organizations found'),
     issuesButtonLabel: __('View issues'),
-    title: s__('Crm|Customer Relations Organizations'),
+    editButtonLabel: __('Edit'),
+    title: s__('Crm|Customer relations organizations'),
     newOrganization: s__('Crm|New organization'),
     errorText: __('Something went wrong. Please try again.'),
-    organizationAdded: s__('Crm|Organization has been added'),
   },
+  EDIT_ROUTE_NAME,
+  NEW_ROUTE_NAME,
 };
 </script>
 
@@ -108,15 +98,17 @@ export default {
         {{ $options.i18n.title }}
       </h2>
       <div
-        v-if="canCreateNew"
+        v-if="canAdmin"
         class="gl-display-none gl-md-display-flex gl-align-items-center gl-justify-content-end"
       >
-        <gl-button variant="confirm" data-testid="new-organization-button" @click="displayNewForm">
-          {{ $options.i18n.newOrganization }}
-        </gl-button>
+        <router-link :to="{ name: $options.NEW_ROUTE_NAME }">
+          <gl-button variant="confirm" data-testid="new-organization-button">
+            {{ $options.i18n.newOrganization }}
+          </gl-button>
+        </router-link>
       </div>
     </div>
-    <new-organization-form v-if="showNewForm" :drawer-open="showNewForm" @close="hideNewForm" />
+    <router-view />
     <gl-loading-icon v-if="isLoading" class="gl-mt-5" size="lg" />
     <gl-table
       v-else
@@ -126,14 +118,24 @@ export default {
       :empty-text="$options.i18n.emptyText"
       show-empty
     >
-      <template #cell(id)="data">
+      <template #cell(id)="{ value: id }">
         <gl-button
           v-gl-tooltip.hover.bottom="$options.i18n.issuesButtonLabel"
+          class="gl-mr-3"
           data-testid="issues-link"
           icon="issues"
           :aria-label="$options.i18n.issuesButtonLabel"
-          :href="getIssuesPath(groupIssuesPath, data.value)"
+          :href="getIssuesPath(groupIssuesPath, id)"
         />
+        <router-link :to="getEditRoute(id)">
+          <gl-button
+            v-if="canAdmin"
+            v-gl-tooltip.hover.bottom="$options.i18n.editButtonLabel"
+            data-testid="edit-organization-button"
+            icon="pencil"
+            :aria-label="$options.i18n.editButtonLabel"
+          />
+        </router-link>
       </template>
     </gl-table>
   </div>
diff --git a/app/assets/javascripts/crm/organizations/routes.js b/app/assets/javascripts/crm/organizations/routes.js
new file mode 100644
index 00000000000..85bd3b32877
--- /dev/null
+++ b/app/assets/javascripts/crm/organizations/routes.js
@@ -0,0 +1,20 @@
+import { INDEX_ROUTE_NAME, NEW_ROUTE_NAME, EDIT_ROUTE_NAME } from '../constants';
+import OrganizationFormWrapper from './components/organization_form_wrapper.vue';
+
+export default [
+  {
+    name: INDEX_ROUTE_NAME,
+    path: '/',
+  },
+  {
+    name: NEW_ROUTE_NAME,
+    path: '/new',
+    component: OrganizationFormWrapper,
+  },
+  {
+    name: EDIT_ROUTE_NAME,
+    path: '/:id/edit',
+    component: OrganizationFormWrapper,
+    props: { isEditMode: true },
+  },
+];
diff --git a/app/assets/javascripts/graphql_shared/constants.js b/app/assets/javascripts/graphql_shared/constants.js
index 3726743c032..22fa2912881 100644
--- a/app/assets/javascripts/graphql_shared/constants.js
+++ b/app/assets/javascripts/graphql_shared/constants.js
@@ -3,6 +3,7 @@ export const MINIMUM_SEARCH_LENGTH = 3;
 export const TYPE_BOARD = 'Board';
 export const TYPE_CI_RUNNER = 'Ci::Runner';
 export const TYPE_CRM_CONTACT = 'CustomerRelations::Contact';
+export const TYPE_CRM_ORGANIZATION = 'CustomerRelations::Organization';
 export const TYPE_DISCUSSION = 'Discussion';
 export const TYPE_EPIC = 'Epic';
 export const TYPE_EPIC_BOARD = 'Boards::EpicBoard';
diff --git a/app/assets/javascripts/lib/utils/text_markdown.js b/app/assets/javascripts/lib/utils/text_markdown.js
index ac2eb34260c..18eca11ac42 100644
--- a/app/assets/javascripts/lib/utils/text_markdown.js
+++ b/app/assets/javascripts/lib/utils/text_markdown.js
@@ -9,7 +9,7 @@ const LINK_TAG_PATTERN = '[{text}](url)';
 // a bullet point character (*+-) and an optional checkbox ([ ] [x])
 // OR a number with a . after it and an optional checkbox ([ ] [x])
 // followed by one or more whitespace characters
-const LIST_LINE_HEAD_PATTERN = /^(?<indent>\s*)(?<leader>((?<isUl>[*+-])|(?<isOl>\d+\.))( \[([x ])\])?\s)(?<content>.)?/;
+const LIST_LINE_HEAD_PATTERN = /^(?<indent>\s*)(?<leader>((?<isUl>[*+-])|(?<isOl>\d+\.))( \[([xX ])\])?\s)(?<content>.)?/;
 
 function selectedText(text, textarea) {
   return text.substring(textarea.selectionStart, textarea.selectionEnd);
@@ -391,6 +391,8 @@ function handleContinueList(e, textArea) {
       itemToInsert = `${indent}${leader}`;
     }
 
+    itemToInsert = itemToInsert.replace(/\[x\]/i, '[ ]');
+
     e.preventDefault();
 
     updateText({
diff --git a/app/assets/javascripts/pages/groups/crm/contacts/index.js b/app/assets/javascripts/pages/groups/crm/contacts/index.js
index a595246957f..6af47621c1d 100644
--- a/app/assets/javascripts/pages/groups/crm/contacts/index.js
+++ b/app/assets/javascripts/pages/groups/crm/contacts/index.js
@@ -1,3 +1,3 @@
-import initCrmContactsApp from '~/crm/contacts_bundle';
+import initCrmContactsApp from '~/crm/contacts/bundle';
 
 initCrmContactsApp();
diff --git a/app/assets/javascripts/pages/groups/crm/organizations/index.js b/app/assets/javascripts/pages/groups/crm/organizations/index.js
index 16479b43d52..2ad0904688e 100644
--- a/app/assets/javascripts/pages/groups/crm/organizations/index.js
+++ b/app/assets/javascripts/pages/groups/crm/organizations/index.js
@@ -1,3 +1,3 @@
-import initCrmOrganizationsApp from '~/crm/organizations_bundle';
+import initCrmOrganizationsApp from '~/crm/organizations/bundle';
 
 initCrmOrganizationsApp();
diff --git a/app/assets/javascripts/runner/components/runner_jobs.vue b/app/assets/javascripts/runner/components/runner_jobs.vue
index eb77babcc57..b25d92d049e 100644
--- a/app/assets/javascripts/runner/components/runner_jobs.vue
+++ b/app/assets/javascripts/runner/components/runner_jobs.vue
@@ -1,5 +1,5 @@
 <script>
-import { GlSkeletonLoading } from '@gitlab/ui';
+import { GlDeprecatedSkeletonLoading as GlSkeletonLoading } from '@gitlab/ui';
 import { createAlert } from '~/flash';
 import runnerJobsQuery from '../graphql/details/runner_jobs.query.graphql';
 import { I18N_FETCH_ERROR, I18N_NO_JOBS_FOUND, RUNNER_DETAILS_JOBS_PAGE_SIZE } from '../constants';
diff --git a/app/assets/javascripts/runner/components/runner_projects.vue b/app/assets/javascripts/runner/components/runner_projects.vue
index f8ec29b8a24..d080d34fdd3 100644
--- a/app/assets/javascripts/runner/components/runner_projects.vue
+++ b/app/assets/javascripts/runner/components/runner_projects.vue
@@ -1,5 +1,5 @@
 <script>
-import { GlSkeletonLoading } from '@gitlab/ui';
+import { GlDeprecatedSkeletonLoading as GlSkeletonLoading } from '@gitlab/ui';
 import { sprintf, formatNumber } from '~/locale';
 import { createAlert } from '~/flash';
 import runnerProjectsQuery from '../graphql/details/runner_projects.query.graphql';
diff --git a/app/assets/javascripts/security_configuration/components/feature_card.vue b/app/assets/javascripts/security_configuration/components/feature_card.vue
index cd5ad86e1a8..4ce3c7cbc9a 100644
--- a/app/assets/javascripts/security_configuration/components/feature_card.vue
+++ b/app/assets/javascripts/security_configuration/components/feature_card.vue
@@ -2,6 +2,7 @@
 import { GlButton, GlCard, GlIcon, GlLink } from '@gitlab/ui';
 import { __, s__, sprintf } from '~/locale';
 import ManageViaMr from '~/vue_shared/security_configuration/components/manage_via_mr.vue';
+import { REPORT_TYPE_SAST_IAC } from '~/vue_shared/security_reports/constants';
 
 export default {
   components: {
@@ -61,6 +62,12 @@ export default {
       const { name, description, configurationText } = this.feature.secondary ?? {};
       return Boolean(name && description && configurationText);
     },
+    // This condition is a temporary hack to not display any wrong information
+    // until this BE Bug is fixed: https://gitlab.com/gitlab-org/gitlab/-/issues/350307.
+    // More Information: https://gitlab.com/gitlab-org/gitlab/-/issues/350307#note_825447417
+    isNotSastIACTemporaryHack() {
+      return this.feature.type !== REPORT_TYPE_SAST_IAC;
+    },
   },
   methods: {
     onError(message) {
@@ -85,6 +92,7 @@ export default {
       <h3 class="gl-font-lg gl-m-0 gl-mr-3">{{ feature.name }}</h3>
 
       <div
+        v-if="isNotSastIACTemporaryHack"
         :class="statusClasses"
         data-testid="feature-status"
         :data-qa-selector="`${feature.type}_status`"
@@ -109,7 +117,7 @@ export default {
       <gl-link :href="feature.helpPath">{{ $options.i18n.learnMore }}</gl-link>
     </p>
 
-    <template v-if="available">
+    <template v-if="available && isNotSastIACTemporaryHack">
       <gl-button
         v-if="feature.configurationPath"
         :href="feature.configurationPath"
diff --git a/app/assets/javascripts/vue_shared/issuable/list/components/issuable_list_root.vue b/app/assets/javascripts/vue_shared/issuable/list/components/issuable_list_root.vue
index 028d48e7e8a..20f178dfb7d 100644
--- a/app/assets/javascripts/vue_shared/issuable/list/components/issuable_list_root.vue
+++ b/app/assets/javascripts/vue_shared/issuable/list/components/issuable_list_root.vue
@@ -1,5 +1,10 @@
 <script>
-import { GlAlert, GlKeysetPagination, GlSkeletonLoading, GlPagination } from '@gitlab/ui';
+import {
+  GlAlert,
+  GlKeysetPagination,
+  GlDeprecatedSkeletonLoading as GlSkeletonLoading,
+  GlPagination,
+} from '@gitlab/ui';
 import { uniqueId } from 'lodash';
 import { getIdFromGraphQLId } from '~/graphql_shared/utils';
 import { updateHistory, setUrlParams } from '~/lib/utils/url_utility';
diff --git a/app/controllers/groups/crm/organizations_controller.rb b/app/controllers/groups/crm/organizations_controller.rb
index f8536b4f538..846995ecba5 100644
--- a/app/controllers/groups/crm/organizations_controller.rb
+++ b/app/controllers/groups/crm/organizations_controller.rb
@@ -10,6 +10,10 @@ class Groups::Crm::OrganizationsController < Groups::ApplicationController
     render action: "index"
   end
 
+  def edit
+    render action: "index"
+  end
+
   private
 
   def authorize_read_crm_organization!
diff --git a/app/controllers/projects/merge_requests/creations_controller.rb b/app/controllers/projects/merge_requests/creations_controller.rb
index 88337242fcd..93e2298ca98 100644
--- a/app/controllers/projects/merge_requests/creations_controller.rb
+++ b/app/controllers/projects/merge_requests/creations_controller.rb
@@ -81,7 +81,7 @@ class Projects::MergeRequests::CreationsController < Projects::MergeRequests::Ap
   def branch_to
     @target_project = selected_target_project
 
-    if @target_project && params[:ref].present?
+    if @target_project && params[:ref].present? && Ability.allowed?(current_user, :create_merge_request_in, @target_project)
       @ref = params[:ref]
       @commit = @target_project.commit(Gitlab::Git::BRANCH_REF_PREFIX + @ref)
     end
diff --git a/app/models/ci/pipeline.rb b/app/models/ci/pipeline.rb
index 15b19dc8d7c..0703c6d1df3 100644
--- a/app/models/ci/pipeline.rb
+++ b/app/models/ci/pipeline.rb
@@ -824,6 +824,8 @@ module Ci
           variables.append(key: 'CI_OPEN_MERGE_REQUESTS', value: open_merge_requests_refs.join(','))
         end
 
+        variables.append(key: 'CI_GITLAB_FIPS_MODE', value: 'true') if Gitlab::FIPS.enabled?
+
         variables.append(key: 'CI_KUBERNETES_ACTIVE', value: 'true') if has_kubernetes_active?
         variables.append(key: 'CI_DEPLOY_FREEZE', value: 'true') if freeze_period?
 
diff --git a/app/models/ci/runner.rb b/app/models/ci/runner.rb
index 4228da279a4..b9ba9d8e1b0 100644
--- a/app/models/ci/runner.rb
+++ b/app/models/ci/runner.rb
@@ -65,6 +65,8 @@ module Ci
     FORM_EDITABLE = %i[description tag_list active run_untagged locked access_level maximum_timeout_human_readable].freeze
     MINUTES_COST_FACTOR_FIELDS = %i[public_projects_minutes_cost_factor private_projects_minutes_cost_factor].freeze
 
+    TAG_LIST_MAX_LENGTH = 50
+
     has_many :builds
     has_many :runner_projects, inverse_of: :runner, autosave: true, dependent: :destroy # rubocop:disable Cop/ActiveRecordDependent
     has_many :projects, through: :runner_projects, disable_joins: true
@@ -520,6 +522,11 @@ module Ci
         errors.add(:tags_list,
           'can not be empty when runner is not allowed to pick untagged jobs')
       end
+
+      if tag_list_changed? && tag_list.count > TAG_LIST_MAX_LENGTH
+        errors.add(:tags_list,
+          "Too many tags specified. Please limit the number of tags to #{TAG_LIST_MAX_LENGTH}")
+      end
     end
 
     def no_projects
diff --git a/app/models/integrations/asana.rb b/app/models/integrations/asana.rb
index 054f0606dd2..e7634f51ec4 100644
--- a/app/models/integrations/asana.rb
+++ b/app/models/integrations/asana.rb
@@ -59,12 +59,9 @@ module Integrations
     def execute(data)
       return unless supported_events.include?(data[:object_kind])
 
-      # check the branch restriction is poplulated and branch is not included
       branch = Gitlab::Git.ref_name(data[:ref])
-      branch_restriction = restrict_to_branch.to_s
-      if branch_restriction.present? && branch_restriction.index(branch).nil?
-        return
-      end
+
+      return unless branch_allowed?(branch)
 
       user = data[:user_name]
       project_name = project.full_name
@@ -103,5 +100,13 @@ module Integrations
         end
       end
     end
+
+    private
+
+    def branch_allowed?(branch_name)
+      return true if restrict_to_branch.blank?
+
+      restrict_to_branch.to_s.gsub(/\s+/, '').split(',').include?(branch_name)
+    end
   end
 end
diff --git a/app/models/releases/link.rb b/app/models/releases/link.rb
index acc56d3980a..347adbdf96a 100644
--- a/app/models/releases/link.rb
+++ b/app/models/releases/link.rb
@@ -9,10 +9,20 @@ module Releases
     # See https://gitlab.com/gitlab-org/gitlab/-/issues/218753
     # Regex modified to prevent catastrophic backtracking
     FILEPATH_REGEX = %r{\A\/[^\/](?!.*\/\/.*)[\-\.\w\/]+[\da-zA-Z]+\z}.freeze
+    FILEPATH_MAX_LENGTH = 128
 
     validates :url, presence: true, addressable_url: { schemes: %w(http https ftp) }, uniqueness: { scope: :release }
     validates :name, presence: true, uniqueness: { scope: :release }
-    validates :filepath, uniqueness: { scope: :release }, format: { with: FILEPATH_REGEX }, allow_blank: true, length: { maximum: 128 }
+    validates :filepath, uniqueness: { scope: :release }, allow_blank: true
+    validate :filepath_format_valid?
+
+    # we use a custom validator here to prevent running the regex if the string is too long
+    # see https://gitlab.com/gitlab-org/gitlab/-/issues/273771
+    def filepath_format_valid?
+      return if filepath.nil? # valid use case
+      return errors.add(:filepath, "is too long (maximum is #{FILEPATH_MAX_LENGTH} characters)") if filepath.length > FILEPATH_MAX_LENGTH
+      return errors.add(:filepath, 'is in an invalid format') unless FILEPATH_REGEX.match? filepath
+    end
 
     scope :sorted, -> { order(created_at: :desc) }
 
diff --git a/app/models/ssh_host_key.rb b/app/models/ssh_host_key.rb
index bb928118edf..ac7ba9530dd 100644
--- a/app/models/ssh_host_key.rb
+++ b/app/models/ssh_host_key.rb
@@ -46,11 +46,11 @@ class SshHostKey
       .select(&:valid?)
   end
 
-  attr_reader :project, :url, :compare_host_keys
+  attr_reader :project, :url, :ip, :compare_host_keys
 
   def initialize(project:, url:, compare_host_keys: nil)
     @project = project
-    @url = normalize_url(url)
+    @url, @ip = normalize_url(url)
     @compare_host_keys = compare_host_keys
   end
 
@@ -90,9 +90,11 @@ class SshHostKey
   end
 
   def calculate_reactive_cache
+    input = [ip, url.hostname].compact.join(' ')
+
     known_hosts, errors, status =
       Open3.popen3({}, *%W[ssh-keyscan -T 5 -p #{url.port} -f-]) do |stdin, stdout, stderr, wait_thr|
-        stdin.puts(url.host)
+        stdin.puts(input)
         stdin.close
 
         [
@@ -127,11 +129,31 @@ class SshHostKey
   end
 
   def normalize_url(url)
-    full_url = ::Addressable::URI.parse(url)
-    raise ArgumentError, "Invalid URL" unless full_url&.scheme == 'ssh'
+    url, real_hostname = Gitlab::UrlBlocker.validate!(
+      url,
+      schemes: %w[ssh],
+      allow_localhost: allow_local_requests?,
+      allow_local_network: allow_local_requests?,
+      dns_rebind_protection: Gitlab::CurrentSettings.dns_rebinding_protection_enabled?
+    )
 
-    Addressable::URI.parse("ssh://#{full_url.host}:#{full_url.inferred_port}")
-  rescue Addressable::URI::InvalidURIError
+    # When DNS rebinding protection is required, the hostname is replaced by the
+    # resolved IP. However, `url` is used in `id`, so we can't change it. Track
+    # the resolved IP separately instead.
+    if real_hostname
+      ip = url.hostname
+      url.hostname = real_hostname
+    end
+
+    # Ensure ssh://foo and ssh://foo:22 share the same cache
+    url.port = url.inferred_port
+
+    [url, ip]
+  rescue Gitlab::UrlBlocker::BlockedUrlError
     raise ArgumentError, "Invalid URL"
   end
+
+  def allow_local_requests?
+    Gitlab::CurrentSettings.allow_local_requests_from_web_hooks_and_services?
+  end
 end
diff --git a/app/models/user.rb b/app/models/user.rb
index 281e52b90b0..b15daeb0c4a 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -879,6 +879,23 @@ class User < ApplicationRecord
     reset_password_sent_at.present? && reset_password_sent_at >= 1.minute.ago
   end
 
+  # See https://gitlab.com/gitlab-org/security/gitlab/-/issues/638
+  DISALLOWED_PASSWORDS = %w[123qweQWE!@#000000000].freeze
+
+  # Overwrites valid_password? from Devise::Models::DatabaseAuthenticatable
+  # In constant-time, check both that the password isn't on a denylist AND
+  # that the password is the user's password
+  def valid_password?(password)
+    password_allowed = true
+    DISALLOWED_PASSWORDS.each do |disallowed_password|
+      password_allowed = false if Devise.secure_compare(password, disallowed_password)
+    end
+
+    original_result = super
+
+    password_allowed && original_result
+  end
+
   def remember_me!
     super if ::Gitlab::Database.read_write?
   end
diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb
index f5e3f30c61b..a417ea35673 100644
--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -240,7 +240,6 @@ class ProjectPolicy < BasePolicy
 
   rule { can?(:guest_access) }.policy do
     enable :read_project
-    enable :create_merge_request_in
     enable :read_issue_board
     enable :read_issue_board_list
     enable :read_wiki
@@ -497,7 +496,7 @@ class ProjectPolicy < BasePolicy
     prevent(*create_read_update_admin_destroy(:issue_board_list))
   end
 
-  rule { merge_requests_disabled | repository_disabled }.policy do
+  rule { merge_requests_disabled | repository_disabled | ~can?(:download_code) }.policy do
     prevent :create_merge_request_in
     prevent :create_merge_request_from
     prevent(*create_read_update_admin_destroy(:merge_request))
@@ -600,13 +599,14 @@ class ProjectPolicy < BasePolicy
     enable :read_cycle_analytics
     enable :read_pages_content
     enable :read_analytics
-    enable :read_ci_cd_analytics
     enable :read_insights
 
     # NOTE: may be overridden by IssuePolicy
     enable :read_issue
   end
 
+  rule { can?(:public_access) & public_builds }.enable :read_ci_cd_analytics
+
   rule { public_builds }.policy do
     enable :read_build
   end
@@ -664,6 +664,10 @@ class ProjectPolicy < BasePolicy
     enable :read_security_configuration
   end
 
+  rule { can?(:guest_access) & can?(:read_commit_status) }.policy do
+    enable :create_merge_request_in
+  end
+
   # Design abilities could also be prevented in the issue policy.
   rule { design_management_disabled }.policy do
     prevent :read_design
diff --git a/app/services/quick_actions/interpret_service.rb b/app/services/quick_actions/interpret_service.rb
index 9184c99c039..47f4b9c6898 100644
--- a/app/services/quick_actions/interpret_service.rb
+++ b/app/services/quick_actions/interpret_service.rb
@@ -77,7 +77,10 @@ module QuickActions
       # want to also handle bare usernames. The ReferenceExtractor also has
       # different behaviour, and will return all group members for groups named
       # using a user-style reference, which is not in scope here.
+      #
+      # nb: underscores may be passed in escaped to protect them from markdown rendering
       args        = params.split(/\s|,/).select(&:present?).uniq - ['and']
+      args.map! { _1.gsub(/\\_/, '_') }
       usernames   = (args - ['me']).map { _1.delete_prefix('@') }
       found       = User.by_username(usernames).to_a.select { can?(:read_user, _1) }
       found_names = found.map(&:username).to_set
diff --git a/app/views/groups/crm/contacts/index.html.haml b/app/views/groups/crm/contacts/index.html.haml
index 81293937f77..8a971e451a4 100644
--- a/app/views/groups/crm/contacts/index.html.haml
+++ b/app/views/groups/crm/contacts/index.html.haml
@@ -1,4 +1,8 @@
-- breadcrumb_title _('Customer Relations Contacts')
-- page_title _('Customer Relations Contacts')
+- breadcrumb_title _('Customer relations contacts')
+- page_title _('Customer relations contacts')
+- @content_wrapper_class = "gl-relative"
+
+= content_for :after_content do
+  #js-crm-form-portal
 
 #js-crm-contacts-app{ data: { group_full_path: @group.full_path, group_issues_path: issues_group_path(@group), group_id: @group.id, can_admin_crm_contact: can?(current_user, :admin_crm_contact, @group).to_s, base_path: group_crm_contacts_path(@group) } }
diff --git a/app/views/groups/crm/organizations/index.html.haml b/app/views/groups/crm/organizations/index.html.haml
index 1647805b976..ff1ba678de0 100644
--- a/app/views/groups/crm/organizations/index.html.haml
+++ b/app/views/groups/crm/organizations/index.html.haml
@@ -1,4 +1,8 @@
-- breadcrumb_title _('Customer Relations Organizations')
-- page_title _('Customer Relations Organizations')
+- breadcrumb_title _('Customer relations organizations')
+- page_title _('Customer relations organizations')
+- @content_wrapper_class = "gl-relative"
+
+= content_for :after_content do
+  #js-crm-form-portal
 
 #js-crm-organizations-app{ data: { base_path: group_crm_organizations_path(@group), can_admin_crm_organization: can?(current_user, :admin_crm_organization, @group).to_s, group_full_path: @group.full_path, group_id: @group.id, group_issues_path: issues_group_path(@group) } }
diff --git a/config/initializers/rdoc_segfault_patch.rb b/config/initializers/rdoc_segfault_patch.rb
new file mode 100644
index 00000000000..2494d7ef421
--- /dev/null
+++ b/config/initializers/rdoc_segfault_patch.rb
@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+# Monkey patch of RDoc to prevent Ruby segfault due to
+# stack buffer overflow Ruby bug -
+# https://bugs.ruby-lang.org/issues/16376
+#
+# Safe to remove once GitLab upgrades to Ruby 3.0
+# or once the fix is backported to 2.7.x and
+# GitLab upgrades.
+# https://gitlab.com/gitlab-org/gitlab/-/issues/351179
+class RDoc::Markup::ToHtml
+  def parseable?(_)
+    false
+  end
+end
+
+class RDoc::Markup::Verbatim
+  def ruby?
+    false
+  end
+end
diff --git a/config/routes/group.rb b/config/routes/group.rb
index 7252bdc251d..bf6094ff2f1 100644
--- a/config/routes/group.rb
+++ b/config/routes/group.rb
@@ -135,7 +135,7 @@ constraints(::Constraints::GroupUrlConstrainer.new) do
 
     namespace :crm do
       resources :contacts, only: [:index, :new, :edit]
-      resources :organizations, only: [:index, :new]
+      resources :organizations, only: [:index, :new, :edit]
     end
   end
 
diff --git a/db/fixtures/development/18_abuse_reports.rb b/db/fixtures/development/18_abuse_reports.rb
index b06beca35e9..88d2f784852 100644
--- a/db/fixtures/development/18_abuse_reports.rb
+++ b/db/fixtures/development/18_abuse_reports.rb
@@ -11,7 +11,7 @@ module Db
                   name: FFaker::Name.name,
                   email: FFaker::Internet.email,
                   confirmed_at: DateTime.now,
-                  password: Gitlab::Password.test_default
+                  password: '12345678'
                 )
 
               ::AbuseReport.create(reporter: ::User.take, user: reported_user, message: 'User sends spam')
diff --git a/doc/ci/variables/predefined_variables.md b/doc/ci/variables/predefined_variables.md
index 44a8e631660..3b504b02fae 100644
--- a/doc/ci/variables/predefined_variables.md
+++ b/doc/ci/variables/predefined_variables.md
@@ -58,6 +58,7 @@ There are also a number of [variables you can use to configure runner behavior](
 | `CI_ENVIRONMENT_URL`                     | 9.3    | all    | The URL of the environment for this job. Available if [`environment:url`](../yaml/index.md#environmenturl) is set. |
 | `CI_ENVIRONMENT_ACTION`                  | 13.11  | all    | The action annotation specified for this job's environment. Available if [`environment:action`](../yaml/index.md#environmentaction) is set. Can be `start`, `prepare`, or `stop`. |
 | `CI_ENVIRONMENT_TIER`                    | 14.0   | all    | The [deployment tier of the environment](../environments/index.md#deployment-tier-of-environments) for this job. |
+| `CI_GITLAB_FIPS_MODE`                    | 14.10  | all    | The configuration setting for whether FIPS mode is enabled in the GitLab instance. |
 | `CI_HAS_OPEN_REQUIREMENTS`               | 13.1   | all    | Only available if the pipeline's project has an open [requirement](../../user/project/requirements/index.md). `true` when available. |
 | `CI_JOB_ID`                              | 9.0    | all    | The internal ID of the job, unique across all jobs in the GitLab instance. |
 | `CI_JOB_IMAGE`                           | 12.9   | 12.9   | The name of the Docker image running the job. |
diff --git a/doc/user/crm/crm_contacts_v14_10.png b/doc/user/crm/crm_contacts_v14_10.png
new file mode 100644
index 0000000000000000000000000000000000000000..f82878f9d4bdb560442fb25fd5664e5aa006e8e5
GIT binary patch
literal 18015
zcmeIabyQnl)Fw<z3vDT+LZL+~NO6Y(K}rR8*Wm6NBuFVzDDDIZR@~i#Q`{w3in}`j
z@}=!>Ui-dzXU%$NzWHaeR@Pm)=iDRv?0fd}?7dIE$;pV~KOlL4g@uJLF7{CY3+v8Z
zEUa5h_ikhEptWR>n9D5(1yK>Kq5-lE%#S-J@1@^kVU>pAUFl(JV%@hDQ+L3^B53>l
zz13xtV~B<I=~(>ZdnK^W&K%N)tSe#t`b>7JV^J#!dNj{cg0*+&-XmRM;#-Rhw^(#v
zdEZ@Le59d{M-k8!SR*N>^2kq2<}J$|lJAT!7J43tkUm~#eT{G7B*Gs}K0NV6a$~4$
znG0XCVg-DEW+C|FFFYJK*yXUY>`7R{E8a~1Q6%7=d)+^ul!TOF^vONUAceIb127k?
zlTX0kmoegl-xoPhJ2vJb4Egtks=nY~N4ZOlE$deqqJS(JGT5co#7{h^9J68m{>94E
zMiYkW`G%92+PF&qaQMxsfPmu(9;^ZC!Dd&HZBi3crLI|bIek0=yLy6Yy@WSp$>*se
z;Ofh;W%^!>v4!2t7n`Pw)x(uu&omz)rtiQ?lR?G7utAn$&r;6oC2Xetyu$Gdhilvc
zrt=?Nd3Hcs8@FHe*rUt?wLHV9_7*%!#AH}pk+NiLHZA~POXolm(+jx3`8{yI9(i44
zCRTDaotA>#hPQBic=F?i`;CzzLornRoH-D8HNf31RK{_7je@jj{0rij)8Z{GEbq{g
zT(Ge8ZhxE5#J66>jNMnS>z(JbXP!`XFyHHb1x>24tWKdk$;JQRM<nv)$HCt5v5v;6
zq)$qo|KwJ$sx0|5ygEDEL>5iT!2Nu`@8c}c(Q&MB4(Vb&(66ymwKPd{30vQAO+RZ5
zV8CM`pQhzaahn&4InMs^O_Aou+P4oMY^KcPrQHHRWK(dS1O}Fdq0u8`fN1Cr@~H1?
zbmQTCZ3c4M;LJ%+kLw$5Eb{p~LzR>5i-}>pV2di@L8+|qv_c3c+i?Y=7J=H5w4kvv
zT1-eufyqeqhPt_(k~i7Te3s}{_4h~^l%_p8*v}cCzZL~mp8!P1%J+tH@1N;L=3a3S
z)3la)trCoKRBC9yJ8Q&7sHnzG_N!#MAuGqhZid$5cd%0`gx#2>tTEEwE+B#ng-dTa
z9C#-Tp;(?wHNOnTl>+NdbQM4NDs7prtr^IZr`-T9)dT7pCs5nu=Zial8|^Pl2hk3@
zRmpjLn@2vCe#C%dvgaw9>h2X)K-3bpfNU5PQHpRL9F~-{u;_gXad$hVc-~Z1SH;J3
zwUa^%YPwz@-W)eTh1Qua&z}#cd{{cW`gpN!aq*}_Dwn##7N+e1-u2#=Z1p}FuZ0QL
zu5~$B&{L>2R#R0z!ebFcjGAQc83i1z2XAD!Tg^>S7BYwSZlxi6jkzh_v2vmi)6>MG
z*zWG3Iy$Zu?2wAJ=Gss7uA8U5_G2H)&nEibH!?Dnvd>kU$incko0<fei+@-b9lD2w
zvh<X)B)Qj_3<g*AI~GpF#_iUE4eQ`0gFmGaSDW5SdvVpOnL9e9Rfxqk><)+DDo0-R
zV-R<d|Jwf!?!nP5n8wt{uZ63F5}6Ba-*Bj&Kk`hQ-ElxxDb6R2+&>N=CfJ>G*q`!4
z$QsgE=YVzf3~dIRpTTa{qYiwnpDKrTU+p+NxpR+0$WyOnp!}(^NU=-dRP|IpE%xe3
z@M__u*oZQ)<aGG>r|w=$b|3$iXH;1mo8o4HVA=3CohCIgAfC9jf!nV4atCjffe4#;
zUPnVZ>sQuEt9-G?!s`IqLCE?Oib8Et`<*By9UaPg^Qz%W4N!u+RSudTcdoi_MOdZy
zVf$ubaY1~@_>qX;f14p#nC94=5553yE*pI4cXb!$d1+RzD_qcj4Gxo1p2Mae4p>WJ
zlu8XLjxz?i--P#l?CO)^A_hFvF5k1oBL&2}td3XFl&3sJfnN@!2sH9jQvzz}oE|Ou
zjOP#TLF~^H)nA<D^!DjM!N2&IB)R)LuurW}9>8Cq;$r4TftxEAYWkYg`54(Sjrccw
z?{2<<*bkcLBO<}6a``_>u>}Ud&(OwR(Q=!ekUawg9&2F~TQ|UJ2Zha^pjv))-XIr`
z<O#!V$Dtt0Go*lSAY9I8w`m#jK`cnmrP+3Ap5i%<{mwF1f>l54+WVKS3D>*4WT>07
zBWL}ls{PieOV>03KU^n?MIX`LCE2t1Yzsq*h9);u+^F&9oCsz`P-y~X<;WRwFK+%D
zxT-!-SBI?OC0pn8NKN1B91V?N>9^O>HujrqegxlVqurF+u?MbxdJ?aJxfAUN@w(;F
zI>vj(Pp=z>e29rNhYrEQ<2_U<HFfk{wcJ;k{Ne6P0hw;6u4&^Ph`Z%J7iFT>r<4P~
z4VLqi3S8C_cEM(kq&+>lKG%@oKv0Pi0nP~{{BfZt9a^VG69OnWKdV*BFsS}I=)%6_
zLSk2Pu>SsWPmB-aVED!7f)cngJ>9D7*~y9-8h;WJfYUWMX$$SZj^uMG8Wfy5YWKMz
zHtwG$TD--9@Pe#|yH<26fv?)QP9Te1XE7@fSr`;dJ(DrE!>j0WWEf5Fb+YQ`={{>8
z-)2*9!x-Ix&7g|AZ2)v{axz_)xa{z^9a})P=i?D;8A$ZtmGAn-VWvB|S-#<8vlAhW
z!z?Ryz3tP!iP(Dzjb7=!Hm<d~v_AN=o+ey@xZGj^xA30{Qex(gwGXafqKFroS)94r
z0rUMajr^8O6yQf_y<6z|bo`5eV2z*me`^A6#h&Y{-;dPe|7XVXKeeR)Glj~X*p!&9
z0c)Mvv#5Cg;&;#g9sB%0)9Sys?EhPy^tRsL==p$tkc&QBxP+nM@N>W0zwIj4wzUcJ
za@z*C2z`QtpQr|yoHJab>b(-{_Xn_%I&^>Q=s$UQ6_)`=6{DBt(5FI36ddLbgD=7=
zzE=z)fk&r5$BmHY5B{uxb19s>hB<0(_F??*3M0tt(Igu#Kk#o+)sJU00MM6v$i*lh
zm7C0%o7IGBNE_WBd^6Q?v$-#2z1RyHhgHP<%M;HJgtxrfvFm#_M_TuYV^ywyqZNtA
zfQlPYV2N*2{JZHl{=`>@p9^&ajH~u|onrzq<*Bz8eJ0S{lz;+enXrea6yVkYIrr0T
zuRIrBOTFHsvGJMWu!kNlx|ewHS!M3$zpH(JNI_E5uoy=vpwTo7FE#<8S0a&Lr+0#I
z>+fpM1!M3RULdXpdPWIY(gcJodgEi;b6*d*l(1U%@bbL}zO*{{Vii0&!~SX4(Mn*d
zX!jFl6nERP3(;0U3N=v5`iw!AraM3oeYq3E1#76XcVEOM4#XvSMUnIQH`tpF1gD<B
z@w>3|RdJ*^OU~BY1z-xlj12_Zjy%<C5ITc+2q`ec$l5aXtXU9Rx7U0&z*Hcp;W{@E
z8}p7|t5M)u1l?j&`_2&EvX=}URcvG(ycr#7&;5WpO9YB`5vfdKCYHc|CQuKhB{;5+
zZk|{OXL1;<Cctm><S#hka@EtbI%t*eE^)~;#G!O?Lx~`71O(haTVHZ9z~QX>+Tv{E
z?;On+oxy>5j{pUIvJbuXQgchfNt!sT7dL-7&<{$9X?_htNU0Q20|3$<ITX_m+_gX{
zkcFJNVZq!H49s*ZJsoz;@vUfUCLIU7$t5aBk$?^vGz8!O7|(g9hL~&JYP*(2#B!px
zgwAwGm<o#LJq>D*l&F+zS^R$P^-o?JBV0hvcXNIK?ORyhQj!PF%bS$cTa-77v^V=g
z6ApCR=;~pxuIrT<M;hO8@4IJ=rX+v@j9O$FVRk6T^^S-LMfUfcHY-H~VPOsLY=17h
zAFhXqe%2v-0jpM=8O%cMR1=<hZ2fB4BLl9ldExr6l@HQfeLY+sZi1j-d|+1SdkTn=
z{<*i*Qv(S!DMIT)7VnL$_;kuO<ii^lf&_7R^xIqB+8b-p+5Y~sQri8$-oQuG(kSc8
z<_?OO8o)!*767ZC?f0{?@VeW1qK!$+kv{W2u)5EzTLcZJTP1a@H;X^Ltu|?;@iC*~
zK=%La!oGPc#i*yzNx7PmQEcKcH^uILN*+GZyE?Ey+D(~K4)EOJ=X?h|T-<LSMMdg<
zK#jJRxPO+)LY1*NydJnHAbt1V2qWDo(W5F?0>Hz7*lk``dkzK;4;gA#El3JG==s~d
zPg~X3c7j$Cq!hr4;^U;-Sl-sd=D_{66CptjFB5heXANLU_hr1?+5(ulbkWB5pm}rr
z7DwT4Q!V>;l#xO$p{l%X&7`e<EWfwc(^JD^#K7s2H_GvsU+w<Q^`S+TH};x!_Fk5W
ze9!c(EUe<bU62=w8al$WGq2ZlU6w#W;YJ;7e#6OgWfjG0Ep&WukB!oe?po}9uk-X#
z#f5E~!{}Bv3*$whhcrQ>G41*VW{nrl4)FIX&-|^P1+0|`5K*RecVO?Po*qjxnm`L~
z=84K&er--V^H%gpR%`Pcy1%f!)zTVlECFGy@EzOGxuj^Q=63H{o*m^W64ET;w*Nw(
z_evs#xUM=?(D3KLhU_&wyYX0(e@%#$Q&Ryc!cxbpZ;np3)ydpn8Ckl6g*BJ9GKfpj
z^ycZVQ1K0`Bo&2i-qJ0hQj04?=W=i}?lWBfd1jgJ2OPZct~A6pM9%=CH`M^WS*``_
zqz^u&jXNzg8W!5g>S+B@L+f?5O79gPHjS)47~Qoo8AT{~X3M5%9^cnrxXZCaR+HZ2
zgmSVAL}o4~Z&V^)m2*?LM}eCuKQVJ_CV)E)51ihb2~4&&ZCJy%Uk4qW%PG=%^(eXH
zU{*e6oVB+D{Ib%ypF7MwdVP4ufyPsk1Vne74j4qRZmidM#$yPzWAVh2&%xSm<I$R^
z*HxH1Gh4D3R5?Y`V^8lPMc?W|xgYxK?R8QMTKuL@bg%Yf_lvJ|^@w57JwN59oCBeA
zqXllB@m|Bbm;C~{Dbr>QrR}SWKJ(uOJwy_W51KP7XAA;nGbmPDt|y7EJ{*14qgh)W
z^(1<Ju3n7%WS27ct^>}zu$pnvWiRo}C1O19YrdCVRB_y@4xH6K5B<xf%;s?g1t40f
zS*(h_J1QlarATlu<@P2UaxwloQ@?I|pw$cZ)^*j>fi`DITw=**Ty~YF^Rs^wG3>mj
z((s&-T6z6bm`af`JkY2qVE<HMrArXAGc#CHQHU9z(o+oCeSsGD2EW^LQFMU4myn}m
zKNsR)88p6%%HKQhADwEmS)n-=EWeLkHgb5-O{r8j%^l5qL&?oXrh(^0`W=^o>HCzK
zg~ucK*Fi;c!1H`qpAKu7o#w)Q6nO|P0e*vN3d^L|E-9Yocg(NV;1fW5HngB0P;W9l
z_vUcPMr)lXn4c7I4^^pshX3IH(4q^V;;>xTN)=dAwg1H`1+!Nt?s0#Yh3i9ULvZc8
zQs_Fd{Vz_d&=ewv;m<HIM36KXcdUYc0Pdh@o-jM(m{3s9v)Y9&xf$>}|A?UP`&kZu
zB$6X^eemT1Z}?MUZGrv;Je(F}Tvz1>59!24_?{yvQu4pwE35tG?y25)J(d~WSE6bI
zDoFrbilXs2Y6ofDq$M_%-Xb#CI}mzH(XCOuywDKb31iuW%vtEHd|7wdwee|6ngzng
z>fAMrcSdDp5br`?l3qO!mz@Fa{xfB|A~#vK6OgF9$w1k%DkC=v{xx57;n_T&R?@ZX
z`U<In%aSuV6MYD7MlEiJyH32dc#VZM6v9mcsBzgf`b@Egyv!x-lBq9$h`xwWk1ou-
zlh990NfZR5`U-Dd7W{gPsS8`YP%7onTTgSzM-&7ix0S5|4twc&x-z*(Iql51)}YUD
zuPV;FVFMTUCrzG;&e2%ECWQ-F)?h7l$JxwK^F)mf`qjHSTsn<QiuTtx$cCY+%YsMy
zY3M8*PDOnj6T&7`jY0LB#u=EIQxsl%{)~m*kz}w5135h%HH^B7V1`=*FlG^W5oz(_
zO<}xH&@!rh4>3q~N^p_Il55ER7*v}rh=1-j-GmMED1052>_<81A5b5QtT8vJkxotx
z0>7jvKux{!@OyKW7><7Vn#}#m^Jud_-$5|(?QuFw?0ELA8@!?JNeomFc0quFzp|!J
zw>qrdm@I<#>U&``n~edx*tbx2KEV&{c{MLQUfy|9*n#bK^e;=@g}pfc6$R<OEwpen
zs(<wM`^BrD*X{uFGR4nA5nSaT&amTl<0$)y1<F~d&TA7<xB7i}wy&7+Xd_|e-=Wdc
zJkYEhc9d+$_oPjsm!i=E$7LH};cEjc6u@)vDl+%l>B=$)W?ANT^0oh>J<SJ}h#Z}D
zv3z;fFtka^-Ey6>ntJiszDa+9M>q;e%5*c7U4)TJoO%s<e6lsHXw@%uV5gT%RotM;
z?aPA$;Tv7mVnLhU3iu;>rx_kwDFGHLd$^Z*r~s#S8nL)zsS8@3cesPn2Sb$ROgRp`
z-EBeV7u5+F#3{G!H@3VUQr;8O-CrwnS)Wr9j7GMe;U;!sUrY+hDy$NCc)cudVn3Uf
zJFiafYu|EjdwS%VM}zU#*rRR7o3O8mt&0W_E?(Ckot+kD&j=DPs##?NKw>vLd4oj+
zM(Fs-p&0~!O@1}4%!$ABB`99T6OjFG&XU^5Xty=>x~uo2Mo51b_G@&QGrrb6A^OCb
z_M0s;ZZdYXB_dMFwqN5Uy7%%>`D`%%WE<gSt`b_4sb5wfcPvyM!)+{19rf+}kQBQS
z0oN!&=iV&vEDH6gh*VBBVK;s#X6g8;mqDBJ2tWvM-pTlumMwiW<;7%eR(SsDE=u-$
zZE|7_^Oc45>&f6<X#g1kdUd+R;{>BGlL#%~uhj{2dmCa7y{4kogQD=(H7o=yxsrbY
z@k-g)0|aNMxOcHLU9&@p-Y<#o`biJ#<PN#vCjH}#OwRiO_7*~k{zj?Z)*paFmy~~S
zejWZ_WRAJL&ixzc{vk1`Gmrj2^Z%qWJ*)_LwFURuf?p4w**^u{1bK}}cpdf4G%XPR
z!#2G5ZLi@sVJ;31|CFA|Iy8;{x6<Ey1x|LIEaiL=ow_Nj@p*d9CdJi#d9&<aSOfIy
zo!@N~qi+h~e84u)1`<O<X8l~6_IF}lQ(y*%wHf?}k>s%a=`yt`5cl_xFaI|c=6%O)
z`c1Zmw6C;4ul^38b@1fb-_Du;kKZ&i0NS37=oWLI=hq`WoX$qVE@f}*TTBo@(0Ohy
zO0cEIxpU_Se|*M<fI~k^We8K%8RCei>G1yIZgD2p3_L${DO6y3^OaDIv#0HTUtjj&
z2$8_ZwRE7i*cs{#MCcvI#U4Q4jmK$v`L@sq57>OWzXN5SYC-C<f>uF763u2BZPp4r
zfE=e82BHKr6CTd{$Hmr`k_PnVALk0Rrv`*+_Z=WV<_?-2OlXja38h|>LRuHAy;~WB
zr>EE3mqCN0?bj}Yux%lyTtk1@UD5zqkX<!*+bn({Zc+ybM&fbm(LI4+I+|jzYcEg+
z+HQh80+L)U^xm8uJ#nFxIi(OZLuE51g0Yf+IuB5WCJ3TeJ7CAXC9dXm48Cd*AGoX8
zae#eJqo}9thV_g|sS8UoaMs;Ey}Oa7*2`*t{_K3N0W9^}=Z&w4r<2iYVRvvgZrJhZ
zX>tl;F&+_5BG04iQq3{+0<+R)E<o0rVM%_ywcH<{YIF^3ONy)a`lN^+$JgIF@OH4u
z)VI*w{*`Jrr7Co6RvCm_wf4?xxE*`_quE-6t9(}XY1DYpR)rtl)o!tjgv2G=;XrPa
zms3+mFmi7Pa@tpU?hLi*8-?%GB%E4Xo1`k9*EV4Yh<6=!?FpKl*LdC~oXx}NfG0cb
z+P7eL=Q_ZE7(Lf-%5h=uv4DqmtE;ZIIo9S8NoXwx|GKG!!47|rZwLvjJeiv>)<R#T
zUOYVh`D<#{7uUhSmj-H>I57X&tz@486!iuvB#<nf=%TSOPorWj1G{(+tBA{;IVjz-
zF1gvfIf20(b461GAS+E)NiSXCE*(vky8fs&Nd6``)q}XG5d=*ToU>6mK^tDS#ndZ0
zFYHIOz))Hv_Hi;ZgK+>#UZR<DgJ>=@i-4*!R;ShF@+#%AgFICDmPT#5k4(7p001Nq
z+m5YD<Z0KVU7p=aIu9VC5p4~(KfKbEWJWlht0EiiS9!~sLjg#S^5Y3t7auXt7pjm=
z0*2aVo20!c-tA{D0dMmSZ<-87V~q!l0?@Ocj^3N^TCWi8G<H^Z!?h{-ttCBokEv1b
zR2FVxQv77cGTtH2pv!||4GudsXVT>>OF6|w0iBMb0;i-i6sxIy(xU{at1_47K)}kI
zZ1?)j9ykaXGw;zBXbv)^Wr1Av^T2e1Lr#<6Tzk9DIDG!FEryx%>s$Q59E<TnA&<jx
zz_ywdZfc8HZK<QzMrW}nJIz6hFN#Mef`76!810O{F{wSHngufwqpvq8{jwLN7u12a
z*Nf;n@QyF)OsL83z!edaSV6ukbOiP5fJSA*V&u|`(YOYaf@(=GBFHaX1h?y7Lb8!s
z$1_=B(|cr^h}q?n-QvL{F9*Gio9hl9SxJZ5*ajh|9wo53e58q|^XE{<m2#Bo4T5Ya
z26eV4BnD+B%>V4ce}1VQv)c+QcthJ&#Kf#a%1>voUJmg^18etNLR7t|YD2ZJngwgj
z61R?H0J|)WUh;>>jUH`82)6A~(IUkPdsF0WG8wPeN|sp+1KLufgG;5x{UW_h`ri7>
zJO@wLN#|ctQ46kVZK5(aSJR8QlbwC<T+KB)vAtfQmlrkhBq_D(&kefwkPdd`6>oeq
zI4BvJt~$R1c1gT!cfQjdKYP)*b9WIYI&G(C8{C?lo*wCk3PpS*K<}3hBWKmFzzaRK
zs>LQ9?e#GXT%Fhu2pW7jf(j1a1C>?Ba7;Ea&cnyl!}G+dyvUM0yzDksV}`vrskivY
zWIdfeXb7f6kXP%^oAMJ03J<h*9v_{ofwU`j^!DC2c6mA*Ei83dz|X&NnmvCbDJsMB
zZ4V8KvlhF7bq(4s241dU*SdWBQOjo5-ZCk*<#Dvz0lQjEoL!r}?l77i-+AarAT+63
zb%4UgtEE-hxqN5zaOp74nGI5%`jS8j>A?rtEO959C)7D?2%pO)_utN^l&Zt?T8Qy{
z5y3oPfkz37Wb3wehbYmMt@SZAmsFBKCRuiJ)OHj~?}`9_ncP%u%#yNFYv$|QG%)gf
zI=cICW}u@lFJi9yu)oaylQq#3%NmZ8-5i#ohIM`+lc$h{40V2I9QSR^h#Xv`eJkxv
z6D^*dOz1YWJOZRXMGU+k!{}S_?zJa0C8XH-!E<KA6E(3L?FHKqBt)4;&G?9#!)Ks#
z+-6s{7wl-?>XliNG4?C=zOULR>fkeS=wTGk9BKCp9*M8@%ASt`mr^V~yY!0ff$Rd+
z62t35+%sA(9Tj3x<(g^*%bFc+h*zg6Bb*fL{OBghYAe)raIkfESh`<O{^#;)TH<I4
z=-}5_aZM?eIf(L;6qXB|z^0a+dCc1ufO*^aZyMy1nzjIBv~%?Y7sIb49`Jxf*k#+G
zdL6{)<JY9{7yQ@0H=dg5C93t)?oGDkJ(d=D1Fpa~eub9SlMIxDT0jT${aR17a9IA0
zswBtS_EWi2Z1uCJj|$tdZ}L@5jESTa&nphKGie#<W{V>4&ZO`fJp+I5Nvw$Z5T&Ai
zxzoWRM6&J0Z1D^Va!SjzxRu=QEQ5k9Zt=v8t@)W{_ZJcH2S32huvHBd7whT^x2~4*
z!!s8(3U~x@+WG$Q`|9(2`ULnMApufC^nPPJTs)VL(1xw3vKY;1XxEw-PfJA`P;Ou;
z=XeP+0I_Kqf{j1xWCa+{e+(Xv4eFAw@K~0zkv+&6)u+@VJ=jxoJ+qOzxjOD%yF|?$
zX{+C_uSxa^U0A#9G5C&KP^_{$-K7+I-P$l2PHCP|VT)#N?Uwts$kJ!>eXU<K7@(qm
z4Euh&<9)leg%Bn9q7GFu(k)<D{vpVBERG}lhjlhBv0yA8(<;<u<t9XRS!NYEWkE*~
z{`jnr1JVegh3%c0Dc6h1s$66uAcFfvHk?}r6<R;^qk@PCtX8VCSB7NJ)4<OszkK8W
zkyU1%L)ON^=G$wJW@E{&KGu6P)d60du9KjXPV6&h6hSZO7eg>Snx3MZ@-|OFX4Bp>
z0a6?zC({`!RFZmD0X*XU6x>dyp`*r_5rUkKRk8c*Jg>?#AT%@c3)Nnm5)M&Vo`qfc
z6obcqA|!yncBS)hP8kO5Rng5rV$KYSsSeD``4IDRQh<Q_yB!>Gwv5gZltJX~;w^Up
z=<sr<=HzG?49^eQVA^ym{Fy28`ExRNuZ<=zz9H?M?zeJeAGfO*CcP$1C@3lihgjws
z*iXwhYT}X&8S*{JjxOhBR@1VYMn{9suG{L1E?vAJo_!w$&xo_7(n*W8@si+GtPV^!
zML7|aD2k~;=W<TetdbpZZIm(vU`m$M4Q)3j$W&LczdE%}8kW66zXBZ-Y@29JyYPHh
z2}UpZiK7S$dW-AiMk>8!6vlZ+k6GEzYg17-%^{LmZE-TTOD`>j(smpMoqNOGH@-tw
zJ=ZqyuKFcS`dqZbzJl&D6&oHjEfJu9{<^?Wtk$<_#8%LnJ*8PtgYyAxnbqmClp9*1
z&<bYPpJD-HbIBP2dE=Wb+u4Gu*LQ@t%)M+J`)<G%$Us<1wm?hctx5O8H4Z#V#=fho
z%<G$?+}|PxQk)N6rEf)yj;dds>aH-L=-Pixg@pY`-XU%*d*bZGk4=t&(J@`bfGe2l
zb@3yz4SrW^<8A?#^Ivt>*I(w}2qjrR0mScN$G_?(K3_OCJHvZEm|T0fWm`#`A<UPa
zpzNu6bRL4X`!?_O&UrJAhhh*qTU8dMbmD_H%EVZj>&2j22x1fIWx;tR*tr2>I<Hm~
zOyU;eWM<m8ce7v)g*<uOURvq#SLlJV#sdLJn#-G9Riqb?NtF(nSv6fqmU#RDwe+eH
zZM(S$tx~r19QTVXy6YI3H;|CE6|r!GkN%*yDk2EkKwkMyY{ci{E}TOxjj<>b4%D6F
zo0`Lp@o!8mR}BR2#3+{?H#wj$KcO=?MK3+~^R9FFUQi#WTSS%e%*n1yA+-(*jk-d>
zXbBDXl_gfC9_9g)lLEmvVZMci@I9Qtl;~!<236SU9hXr@`1B;pSt<j2P#sH{^7o|v
z#ak$jSNF?V(B(E|VG#^bbym)<{MgCO80m6%V)9QM%dh&LgP6Vxm^9tFde<aRpd0lM
zYe}VU$M~eEhZuMSYv7I!oj1Z(dmCQLNFdhG!M~}}iFQ3PJXQ1*y_8Ks?<fQa&_77M
zk9l+c60bT8y#E^`%E9~p^Ctb$Z(4?>9rj;jgLB&pZ2>pqu~v0CGC3dq@;b-tn3x#N
zYU}=ifq{x|gw%H>N<DFz*1z&`{t5YbGgEP_lJZzHval2v7o#$nqS7;k>8d(5z_ep&
zf8%bBX_&{m8xSlNF@y|$C_jI`Gy>^=cs9`E+}7E-DrB$6LZN_gmpIQ!gk0nOAC}I{
z$-%J%vhpRu+rxDBCz;5b`6F=X^&h(F_-fII=x-x<m^fPCpP6f8;!mIc#NpOO@Uwbd
zc4uEaf4<HX{!x8}gR7zt6Kh${%$Hj7()0c+s4?9-AP~5H+dDn0+|~rO=u=wC28uC0
z5XbGp#v~&hpN0;geuTtR?g+4*G_$;oY^uHO5;2$^ih5dXd61evJ&L+I{5D^%Jzp?z
zg_xgTQiP#?;OCgXj+&S7$y!@Yu4(ud^j5(*LmL`8mWqtelH*%1Gq=~ms*>kp=d80M
zv^r6Vq@?AkIvY^5TayNqAB3bHFc}-*&-V<~U6{=<59wlD!+sz+t-8KeT3T9&f}d3o
zt_bV?0RP@s+51;@Uj{;O4b@%<@Ym%Ir!CUwWzdw@O>mkG77{Gh`+axp5)}=z$+D=d
z{ig9E4r;C-<}_IP#?$Q`_k*2qb+9H0ZgbYp5dJ>7{+h|<o2Xf>Dn6OjB8d9zC5k3Y
zapYZuU|(TBe1-y0V;T;AX}ck#IS)k+MGM@)-sO03|Nd+`NPDRCz}rz^L+RP%ho{h)
zJiJOXlIcu=86aXu$v)oR0x{cCRrzgttno+uXJ2<^;7e!>;4FCrKaq^s+bVO(hX^O1
zs!gRUe6i9dtGC|8S!393LoW-ziH+1^U;k+Jyt*$C_jMezgWZ|%@B|WS1L-O9_1Oo#
zlJ^;uAId%OJ_gQ6k2dYDzAYOVjthbWjQr3^d7v7xv#aPFletbO(}%1awzPZukck*7
z6DcFrKjY$Ytx5MvacW}q+XV+=D7BMtCU1_HH0ncnNVtWvS=f@|(a7yk3QYsW5Sb2|
zvJh89Q6yn~tqt>d1%BsQ>w2-9eU*#L=UGjzU0@<1gLS?$`9#q6)L4f;@{2v`>R_dv
z$nGs}af$Ct89fgzqFN!mMxt{P*V-vHaobZTb{iw3pO2KNkC-@q%&(8QBYNhD*WEVm
zzMfP#X>224Op&%DuI#rAxaajM?xEdEqy_T+Qhd?30W%J*DlWS10U7Q@B&sYTPv1~(
z#_!=cX=meBg4Ao3c{zNY2|01&m=+rD951rt){^Ai>gKBD22`=^COb3~cex{(-=%d+
zVJ8HmJTFoB!-1xc9tIMG;AZ+>GAoZj%eh9rUDHQV)Rpbb-q4pp__XBnvIXNwl;gsi
z9@c$YDC5jfh<&6vo_RUx>FDh0ST2@QfWIcH{8(LuKdVN1k#)={(@x1G7~f)MkSE$o
z7*5YEJ5kbPw2fordvb-)A0^7UiWQVD)wh1@Qaq=&ceEa9AP<vGJ~2wfcL>M@^hB?^
ze<92doh}AgDD$Sd=Op!q*2P@b123lxC_ptmRyqN8&E?dFTTaGD>_tOeiz-I^cf*NA
zaZnmzPMi9SaMtqDR;>Yq|H=m~UOGmtyo3V5?ocI}`r?|H`D9X$vckMwNOw&HrQyfX
zS29*=jV??oI&td5a%>J7=SER#%3cENMzqv(Ht%Dlcj~q*sVQtZ4snpLO$~slzPHpL
zrim@-3OgDCQ;nZj0sJLj@0h>Rj0Cky>#K72xSJ<tORjGrhTAHv9!!3`SjBf$Dqjc6
zza3iP^i`eYGDy{A*<jsx^rGxXq4r$-#%jVLPW6Tv?!bwMy3JW+v0h(>L~LA#cGvB>
zj>wseUGBWTf+R+YpW3Eu<yNslJdH|o8o6GPqCZJgLl*HQ54SiJax&>z5v(vK7vo!|
z_C9wmTZhL!5f+;+6unmzsi|P_ud&~t-ZMl=IA_{t5ra>(MDR{zMboa-<R3{gAWJG6
zq06aeAG(9f4u*1bymo~RCF_+`zQn=prrL|jH^9vTHOOCjuZD}jx}z=L>+Rs?<6$zS
z(P$A-oo*Af$G$CpV5BX!XY`p=?{ep3hizW<nU16pnly;g=mt=n*G`I1`OPPuaH5~x
zBvd=@2*_(88Wm3Cx>{a~_q)e0vbt9J%u98uDl%szOH2LD_uMAMd5acrKAKcpi9Xp`
zt?N7I)6`Tbw0&o+tYD0guU0@)h22AxEgjA&NNTVUtr(GZ5`Pxd#KipG1`!8p@ol_S
zYj9aEV)5$l%pZIfIbz`u$uN2UgPq%}uB2DKF)Z(Gloim9gc89I5((_|+CICh>T|os
z><l+Z)dJO5ue{Ba$KYzQg`ev{gPHLi+szClX$+Qp6t=T>8YMIreG2bjr(-Yqh<LHb
zMM;XO`W?r&um|H8^KA@lX6d*kZyT?&1}hTr8jgSV(dxEqAI2>HSD-j5fZLJRh>eu7
zPKFG(ams5%`IUfiiPX|E>F5I}E#zJQl9<N9ogNh<s}#o#sxW%qZN7#_r6jvr(8f*d
zh{zp%M%ok?@gx2iE4-8HzEu;^r3e)=Cx#Q*!+Yvc{7Gss1#uH@ksG-$pdmyL3o}+I
z#pPIys^?zGq$(N1>?iU7LV33K7|9|nhAb+6g^i7OFE=jjd9b5r@)~Y7-YPv;_{i`<
zYl^kI;4CF5M)g^dc}}>xO-ybMyuq{z)IXN?l4wSt>IvW>0D#JTpc#f+_55MrKrpU-
z+}E`FTn%D}#GCl<??Z~~GRcnWpqE9w%RRx|+&Z5XmSR|>iS2W;@LU~Nr&eE?u!p)t
zuwIJV9~=2v+QaTynemyIgN5VX6l<q|g;>QqqSoAOnykBPd*^7!=F0^(`|_q2NJ=a3
z*WXiS@Ah9VRn@ZJl;$-bX4qwuJSZ-&t5opP9N$*k?rehSC(yG6F=Y{`M91n<HBK+n
zo7rN?@M-w>O6X9jTEvQGcj1Aw9Wfh1UEFuVtfE=Rz@e4+2kVF9Z_~C`KXa>oDKhDc
z`mS`5&ZtdYpUjY{-<H>y?U=v}rORtbQ(CRq-@o=LyM#Jc;<3!x_?3NLC(`_eOXBtJ
zWfjIAl8Y<7EarLqFfcS2w`?H!r<=+2c;6TmV?xvJI`U3VgO<VR(+m@*6zzcu@dzQ)
zQIhv$Zx#dJgiw+wacNJd%&(hvyHjQP^#+v8G4y#q&B9KoibUtXQXpY{SW{X!3wZR5
zWHb<3pH)5(dI>}n?S#BynTg01|0M(CdlPeHR=K72#qCH(o3TjIPsH+cNH&kkDYj=y
zq^xkeC6OeS+{xmk+I3bo;Kjk`=V1)_wQJm*?u@*mmw}G={fjbPkJxwdgz3F};ul)A
z+%`3W&j=Pqcb;W4d$<hOT1<q#d*Pnkqaj2<75UxztNfy=?%KT@5*~hu&m3H)%WF?`
zHX3CKgV>MPF)Bt)+G#N4F5BM2Z~RmfR#UitmnK0Or~VA*WDxL+hOQc^@FQf1nwuO@
z!|P^%NkYQG!D+?4OZoukV^;?@7GFwTH}64K*@qE+MCit9J$VWL&uEBA5#%YUZEc$c
zt2Tkqx_Xa^d5-phaLKT)@FM`$6of(&sO#Kwg_Uy`Rn%nw9=%1L*W!3Fkj($%Rf}+&
zSCpEC4Y1_fKb4&sDN5Lcg;}v2OOK;uzubDelgJ!5?FKAy`kRbS{Xf8v?bu9zLMg)4
zuIKv;+uPfhmvta(20E1oXL#cn6kGW6cMwFFxXx*7;_$ExWcs%V9|K|&|2{~pp{`zQ
zx8&akojE6H{DYnqYGloGo^B2i{tZAy^~KxF)p7Cj^N-RfL=)Deefy1^+5T4rbTBa+
z!QaOV{={q+j(+om|8kgUsDEN|@;aYs#!)_5E`a_o;FbY-UaTxGF3!%*N<qcs6;cVe
zT!y}2XoSH(fE?s?T`83u7Z*2!nr|R{+aa+an45+vSNvPf?RC)$A|fU>n%|C_kqC-u
zy%wp&lrsEbRzp^p9!-pmr_YNTR{w+W%_kjem4f|T{#E9$DNG;#74D-0;o!dw_+j$i
zKK|tu|H>iKa7I`7U3MQne0WSGmR@j}Kr%f6*0r}EQ8qR*>Y$DJ8{?wqif0A@0QFd@
zIU9_#h$gVErDdP$4|R``mV;*B+^3C=8AqPEeOIPY4=W94nBLi4IKZ0NV6x=dR!6It
z$PNX}d?=Ns4Pj-<H9DHnpF&Kx(msX_FHz4jc&o`$VkHRo(AOlP#FBHzaF$)?bz;Ie
z=JNgSZgH5B9(2*?(ZhzL0saNW+wh`PhoxHy8X+m<D>!gH8j7FB-&apojV;@;?~cU(
z2Kz#xFG~8BKaiDOyao3jc;ics+#98F>ii^unfMe91_>rrHSoaG=-lt&%$g8Bc~bKU
zUYBZsY18Cqrb#bHJjuvG^J?}<JGLwPTy*aKQi5ZT(<7m{spC(jmHD}RRnbF`a>@^t
zPcg#Pg<`B^cx{b)s_E8Vf3={|WQ*{5ad=Mi+S~Opuy7Xh=|qYQ*EZEj8HA!!D(pB(
znfvFui$a)ee=lQ;yu)1%r~NwXk^H4wGq>%svPkHXc{`q|Thv$KZ|J>_&w`3b1&z-|
zK*_QMnyF?FnSf3cWbn*Qy4+2JOOK@Z#A<RiTG9^1)Tzevr%?lLCpyReMgk4`dsX|}
z?4@1LH`ARni`p$u4xZ9#75356ra}E~!mU#7JTcZ(l~G4kjMQsk5V<W_y!Y#eKvMI(
zNP1r;y`CcbZ*D9K`eyQ2-n-S9!~mVyS_j$&=J9#(%RAU*$VVZ8I2b@Q1a1a0F7IyJ
z6AwspjdX-d_gjxuA(q=@Bs}VBw^aLz>U;!7z9+WCPuvU6+BiOzsZ2?^Z-oB>2A$lf
zf|RpMr!ZTHGs(Cr7eB4SZ%yBn!2n@pNS}>`!&dBZf~2g^qQ-PEKM!?Rhnm<YK=D+)
zw9M){vp_<Zq$kK3=z(C3C7Lw8&ZElClQKiaOPBeUjMHyuGs~*5DR-;YAjbC8mDx+E
z&qpHrPWMk<1sIe*3(UtH#wm*dH~0S}^$1Q4Iq)XHF=YGtI>h(ZaKwRkZI?;4gG0T{
z?vUOmz2PYSYItzAq7S1$b&Mf>Y$<d_bC9Lo*iK|Avye(LJyIpeh-Sk)HkKv3cYQ)J
zYC3WvIRDF(Tcl<`9W?3oCzC*qUmobeQ=RcP%_(<At#$h{5h~w-ZGeisv4w+s=!;oe
zcXO*p)e`19!}a!}#In++R~7k^o=#)0RmGKc?Jo}znK)*=Sl-i9j=*0Ovo`xB;ii~8
zq74iH$7HSV_VBu?JhmBj8*U)DvJ{qeTx5K&;83^44HBg7<<jm`8J;$~33>swB&F3c
zvv7&q6pW&9Vo#Iewzr}Y&nq{YQE@q!(qmDVm8mZpq(S%EAx5s!`u1DH{lISHwF4t7
z=u50?i%M?VXv;b|#%VG3dalCbA`e*tL|G@#3;RP<NS6iSn+I=T(y^lxI9OwySxdLN
zq=)h=s41o-SYPt7Qv5{j<<n%Cvx$f85oEa>GitNDoInIZa9as!A){l)4k2#}30H;X
zr^mR$a32JyjCU=5Rmkp|h#Cue;o40nH`17sQZNv)zoK-qzuDN;YV;~)e%8oH2jg2*
z=6CiT%6))=gX5vcGCULYhoa;Ie!H7|A9QAui4VI*X$`~ppok!hYs1`};h=eczeF~#
z<OHl6jM3T#aH?&!3WxWs(o4pkLjKvjeyaw@qS!uCdSj-!muA9Txuy6~m62w3mSsN<
zKbk4pSawcWi41;gZOIZPr-^nmHq$|IN6i{>*dOKDJ~+OkwD;*pe&i>{_RP4X;Go8>
z)_xISqd4WyplbeS3enxVUwIuziqnTkI%?~^l9e0$=8arP=#$1J+S!%$31|9aA8l%B
ze9=?+`arCId<7dTCk_*62oWNCgaMngp;YwYlhAvAK*DMhsZDoEtt|9~FuS(xnNziC
zHsQd!X?$Y`@7FXFr_<dOx@~J0j-!;f136z47Qo_eW#UO39a-EjJS4Y{gI;L5$RF8I
zLqBDS7ScqQ7Rn}(_iM;LQI>a`S)?06h4{TVXrK}h5@*?3c;-Gi&Wd+%oD~P1Q7xsj
zkE~1Vmlm1oVU8DkTAq7q_QM4M+!gKIo=6kSJBTtqAf;IwCXD<RkR!=DCcbdyhm|_;
z-vv5qNnQNny0uRa<$DO&N?Q!3n6Ofxa>g?UP#!a4JX2#u;FnXTtS>Q^YWsB<HAM-G
z))9gG4a++gV|kFZ4%wVk&rQ#5o>*WAJon>=_b}L?{%2?h_GQBBFSoFADxIa{B&`G}
zruhDXhA02I(fe1&*-Sxkaj&EL%~sq@&$EB$d$T@@gI^ih+1a_eB3P>by6wy{wq6B;
z!7u;<4|07n>EPhNZezW~e~dvb|1WF)4;o09N;aAP7!-N?hZ@|M$Werx<jw!0yp`e}
z@UJ(Rv0%-0U@}nt9=P}~XT$to|K~scPufoGBNNDY;jk<0>SFAmMo!<e;_Q5E%`>f&
zLMnM*+9at)D#}t_If{G3zTeG~j!qG=znc8UszRoYo5x89t3ucsSqmLli<7lnIE=e>
z@Eh-hN69=(s?tVeO`G&SaR1JM&yk}-p88_qw$}rV{5-SHkvB}H0&Cog)!pPkVhj>0
zV)lG*x517FOG-Kxe^y0Daj&JBf3M-GAoc#%13pfQd)Psnm@^fH!yo)zwRz*M<yUMG
zki5hS@wgdF;G-T+-+6yL(}<>?=>e^(+E5eR{T;se5DcQLl3enkc9}HQBaHOP*kH2M
zELxu<1jIYeMPe**C70y~Wlb|QIge0c<rm(Q8J9P`2#h7FSZTb#mqvVG{Uw+Y9^TA!
zIes^p0+2%>4ID}|{5jQ`D=WQpYc5l|ZZ?ZVh|YnuYjFp2O0ny$O{^6#DP*cM_;wEO
zqK}ml1whP?o&b)oyc7Puene*A17^?osWmGgS8;N-stGIG(tUZQDyH<yfzS~QOf5dT
z+LDURs%wf4&vYlBE1dZZcu~8Mnn|}k?up1k1=Abyv2jrbv#TbXC|KgTbBm@W)v#RO
z&*(P};@VaxxG3XuNzJ2CE>=c;Ey(Lid=ja%^9;94D}nyQE}>eLfF$(#e5_#_n8Ko1
z)8t_(Tf(1Q=BhP(X}gF&W6aSpZ3s_`;_oPOF|v>)6Iyr>p>JT;;mlf?>7IpjQlFV_
z<lGP|x?a*Ld&WH1s4~-`ZDHrswA|~wcVoEGI8_%zc-IjgN!O(H=#*W2kK`coTbxdJ
z$5hXFX7T#xN#o~PvqOpFU6v#`339G+v;=~BfxQG>@PQhPOVGyoao6YK4eu;}lE-Iy
zVUopVju89pJj?b0N|ERLa}k$Z3uNL6r&TKm?e!#5zM#x0My3=?r2a0@|5)X-e0^6k
zi6sw4u)!E`|8?@mG%4V#uJ9>o`s3l3&mWPK06rdQC`?}Y=E{%zc$k!FYw0BPe}Hjl
zOP-8R5!c5x`Jenym?xxB<|-Rl_Lr}ZmI_>(!xP|K?q!qIo7^O;#l*~;Qi{})vyV7U
z6_DQ%Yvo1iBI#SD&JJ^V8~Y|8oGL$dyC3u_)gGmYa%rvPxjeN&QP|*MJ+Xa4J5F`S
z*JOl`AY-nG6?b(^e^iXkX$)6zL+CezvmQv#N}1nKS-DGXx~htPw~}80B-}IwZqlb7
zoik!-D|%MWR}nc~&%|py!SB=-w@D?OOobhsQN-w^P3k9~17_>V&r*%5ODENavO!6k
zW-Z)Xj9rz;wI~{``l4clyi}B@ta2u%{q$F$_@=v$JQ)1!{iFes30hG!mbp#S&Pm6l
zGskjrjPFOvdrVv&hzA9vo>oR=yk+55db$0YSJ*+PtT1R+ouR6;Y8n$rHeSYW`ZUxD
z7RJRcdoB{u`3D}qtiR`^$^rQSK6KDVd~MAGP`8E9rQw{JaRJIh7K!N-Uuy-$TD67K
z5j|T|h#(>Ps323vqFpdxEMsb)ZeT{9l`ekNztY}U)RlMjnyx1{oZnpA*z#0sEl$c>
zTt|u9-QH}yu#l>J-pmtpAz2{Dlg1qZ<Sw`TAzK7u(5y|TpJ^ddzT}P%)a=HQ=2y58
zF8dI=@r?KrjTzBn=fv0~{@6@w;l^cLue72!POc<;4jq4$vde!mi!e4srj#V|`BD4a
zN*+nr>jtr}_{w*C9OzfDHBOoiKZHaSXUAGoXugvUqZV^(@(>St#(-315RG8qE-1@X
z(=6>=GN)5?Y=T=srMs|qTdr{cc;B2mu%QGvAG5o#tAYucIiR#b+Un~BhTPp|({Sg;
z!^b6gbcRkR<3+*j#ce8|6V>CQbjH*58^WX1<TV25Y!pzhADSQX*(X4tv>D2g{R(aA
zX}uNw`aCSwtBLX>3{U|xjFya?m+E)RI3=j4K?jKjb!IE6W|B9fNI@nR{lQ6cWjkh<
z!XtgwAyiyDV$}Hh0Nza0)6A8_E*#ECd;^)>U_PVTx?7cz4;e%2gzYDzd$gR`s_eNo
zwn}ZSR;LoF#=~#XzL>b$J&g1EnMKfruaa=(@1`X|RcWt2($?oJuMnUgQ76c|kvBDM
z=2k|mZuGV1r+tB%x=i-4{Q0E6c{-V*rQ7aeOP;{9u!;)ls;>Wln}sOu2{4{MOMc}n
zH*>L_VPEQ?q!X^q*a#FsDRF)>)oC-Fn1t3obRg}>G&B|K6(3A3jAY@4F-51uPUz7m
zj**4%7wwDu)|o`2;KIky^e@ak+!1psK|woN>!+Ocqy5Y?tI)Br{x#VF`La<*IifOd
zmj=&QDFT(>WWx##oi``)GIFeOM;Qk4$TyNZt768o$mzUZ=CPG4kc0uc4}#>-6^7ke
z!SW#w$E4Xy-fi;rgdF`=op`N{XU8Y;I?!iJQVJndva{Mnc?WM>gWr+eSC)k_(>=o_
zbS9RRg9e9-nh=$#DHzuk{#GD<=|Rd|)@KezG=5!4bzieYAAi+1Qnn8Jyf7QXtt%6Z
znAZD`5dIkBi5Eit5CL_Au4)O)x$kdL+ht!$WQ#EaoUT@+U*&Gz=AQAFs<N6>xIEI?
zb>a)mT#1MHeJU4s7KyUF#F1mCatg(fCaKd>aUH)F(L}87Go@<2k^82e;EyP_VOF%X
zw&aRDRjNPD9vR;}>djD3i3fp<x@8<zrh3*wc{K02>K8v!D4Q!5=QMn(`a(HJQ_~c;
z-a>Ott}%QOgkoRxiTB$Czf^fg5s+8NSM!!8Q8g_x%Mhet-%xA0y01Lvts#y>Bw7@<
z%{~@aF2)|G^POf~N4ooEQbuvtY^52|(Mh-R2MHN}F0X^>VH&NUdG-sot$1gA<Poi5
zZ<p7#XS8b+mOMk`%E)<7(qgzG7-$7H%aEiYg~?d~^f7aEkwLjhr0;@)^n*nsQ|dQ4
zDBx8K(^N@4R#h?J)Pn$Q{jCG<nTU^f58a;r*{OuZWg0-NkZxW!H}0)C^)(I_tNYC5
z^-4e|e8)n|-IeuMxdn8sCkgUaq+TGgnA``)>Q<pRE6d#95X+n$<@ud)p^D>~_MD|J
z8lReomdi_>sHuv)Dld5<HSkV>Ar11;Ui-XCVp_2sczNchlu#<{CFktW9j-%Cm)|ZO
zX<7DYB6F#RG-LF3Z;p9wWBga!cg`&p;(b}uDo>!!RGJKDl5d>17`+r`B7<AESqsA4
zRYjxu=Q9KLQ6f3zhVk}sC0dWVYxK^0MZ-jX5F6BB=xYqmJ%|8Nku>DK2};_UM*(v#
zJCEHYJCifpa*79aI1oys+K4b2fB9%jkt;P<d%g72Ttx8LBPtIX?NCOpU|gl~Me8f^
z(hKGKj)MNM^n$61R_pxZ*@TC7;z!E%^zNTfR+!+3!*S>IGXTbI_7(7eoA6<v%y--&
zjG(@2zYV<!^Q*&EQ+DavQA~QV9k@C3+`B(PsQw81Cz0*e_Gb*PTfh~NypY1LWT3dm
zP4b(}D6u`Q>*7soSD7lWhVG{BoT*{bIARwFnvCwIw#B!^Ro|(T_1!qc#4sg3eDU!|
z)09rkgLN@W_>#gqwjo!NwWK%Gq<Fr?d#V)N+=+Fo1xrqK*N)CQSvyyIbVcEJ{37&k
zy#HT4fB#B?{y(z^xB--cNy*9DAkbN_6*b0H>6xa1@yb5?$CX)aJ*T0gbBgy*(ZBIx
ziZC!R@L11=yE>2})8c-oLSTHw;{V1W>=OCns8F-o*u>;7G2-ET{5!qjPcFs(;J;G-
gIZ>?|MsbbKNjfzH`x43hW<cVfWIh&&=zjTs0F;zINdN!<

literal 0
HcmV?d00001

diff --git a/doc/user/crm/crm_contacts_v14_6.png b/doc/user/crm/crm_contacts_v14_6.png
deleted file mode 100644
index 37a615f39265b444efd488f263ca18955e359878..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 19864
zcmd43cT`hhx33E#AktJsq$3JQhkzh82qGOsdNTr{_hLXgA|N0&^p4Vd4ZYXUdxy|_
z?+^kf>c0E??m2sZ=ia;b8RP!JSYxe~EY>^UGN0d^^G(2eMJdAj6!$SOFbHL&-+sWr
zxO*1^15^Lr9rP8`yZdM81E#|VDRGR#eyUCM$z78-3U4qlN<#6k^|8_Cc(&474j33j
zt-t>;J8iPT7#IrdGH>6gI)B`qL)cJF#4VuCm13Jeah@3?keE0N)R>re2sY@&+$2AF
z-@|01BjZdfAvYx{d}t>XmQNSBVEK~xt~q%eUrQ9}H$M8o*6+MOhhiZw+kgIg=9ipd
zHbp|gZN_}~AiC9?<NzCM*TG{{U?8V3*E&KWcj^@7Ra~2^m?XG9TC~1dXpI7fqTdl?
z^b!2`;l0WWEc8K4A)Mg%=_^UV@587n2YD6Hy$1MH&-rAd`6O;+<lHEru9zp#*MMOU
z1RU|KcHB*x(N6KSE8Y*FvAf7Q=J#ATaf&>hz?Da`nXRlyC3w8)-)GF2wPp1wueLv~
zh>PMxsZvsX(?{D<Y~~dsmPsb<1>P^M$bHf$7It$uAh*Nz)9ne=TVGBxsfO_xWW_q;
zlW{(eO2DxjNG`m*qJ)cYk{`B_br!9F(?1|GJLz1-ckTvKLPU`^zEF!JctLmrF1-!-
zr6FohQVR>xFXwv#qS<k^qcp5e@gc^*@VZYOPjGz{(`Xq_oL>*g&$4mmu6xr^QF;{M
zITcAb=zq>l-UX}R(yf{627lV8s7uf<A7@J0-29?XsW3CpjEjD6-)JZ%=~RM=M?TL)
zmegFC1Z4ATij75>07P6GPiwXJbM0A6c8X3MQ+XJ1zPwv~*6nnB%6<8A5w1-dN4%oS
zaqDCu$jW;qC8hlZ%5A=<r}76@G!f*sa-oS&6F{NcinH-lZa=fu18!Jp^En%wcZwq~
zrX6mW<2f}L2jT=ol&FMm{jB`7GCVJa2g4<_u-Iw^&f!hnD*^NK4i0MqX~jblQaBxC
z{4hsAF`q+s<ylt%YY(V~LRdxY)DAUQ;$3voeLY`9@T1-$VQ;INj|aR)yGILxCCI&N
zdVDPFcR2K`FO+crXmn*FcySe&lb&jvfalEEP`Q6)Vlj6xCi{F>ezSk2aqa48^(e}w
zmXs*8emxL9f<C3Fx|z@gZ92fc0@hG5xR&Z+3|Nf(Ts_MZSS>7&Ougwa%g9=nQ*$Fg
z@ymyH&BzT&c+=IXck-<uj1AN2UA;hkwR27px>G#dkB2hdf2`-=k+jBtcEv3$u(U3e
zxr=bfwz(MZSnIex&~Qz5`=a%AK7omtxa#Q@G{8IAkR+u_%?0OU5AL{NB(1YidmAd0
zhP`oi;=HBqi`CYS$Zdb7EDqne=to4Pq)yOt&@OqEwSm*v!emk3`8)X$M0iVrg-y!7
zLtpXfi3qR~R$YD5@!n>jsn@0X9vE#GCmt++%kxSaD>j9$?ZFn^zF}SzylE|q)#6OT
z?{wQo#Q$CIEOAGA_&Opwif_%+G?{4FU8`<%#$hXyk_0`acFL?g0S^$%{4aRErx09J
z6Xty{9&a&{;c??oegnW<WC~;tHS)Hn$B%?g(CP}fWS?)qSsiF?Cb0!+^r!?zc^q2@
zJWmeWlq&;sJ0IU{#ey*m4zVdO3J1EbwD$;I*)1)0r^WWujvW})`6$P5K7usR@7GQF
zT%t3Sro!ejLDCF^nh#9B3FR-#OgO(7anUt6SeeAdejdh5^A0Ku){8#tO)9JB$QL+|
z9lW}3t8V@Ua<Vx~z~OAX23xM|j~mI=a8ll$%q}LkqB!L_JhYGM&3`v6&WZ`^QD2^>
z#|+%dh?eyJD&_TAWusLz-uJ%CbywHqINhH5oa^RE=rj6>q082&>WO3_M$E%1JUa(?
z)1{8q3v(#uv7ZwMxwG+bdk+h_ZCdd#8+lmFBYxmz%aSn%mR;$4ou%dZBBBA2NUcma
zD7Z<)5j+VNYq@gkO0HLwqEiw6!AO2__4Z8C1WIu7(Oe#9)*^`@Uw3nx+_}#!`4goX
zMIzs@^c8)DXU*#`X2nJ82M)K9a;oUJFRp~$CSeAwsC}oUCAr`1ehe0~T>g^wVNE$Y
zxwW%%4Lx9-t6<k1lPj)|%w%Kdg--n3U#|K#=sGqyA4(74k!;z_3nE626WtqK91eY%
zP7THDVPa75!q9Y^iby>ZW8be69m*bH5_g)_G5YFS%K=oRlTj4*tjbcA-sAY&z_&{p
z@h2Y>jzEp2b*HAs%Xo3i5tw5ORnK%1T;w+fn||bW4i*(~-BDiTiYG-s-u?OhCT^T#
z-<g9C&z>^v@nCqsW+mU6$3;3@%txCBhmSSpv?LMl`sKccpR`YDr(DDO_<uJv6mo=Z
zfXogJN8TwRK3lfP>3a-)qy<=5|IW)lnS<yHy(~&Oqq*!D{BcR1*te?DOXlF(2(Vpk
zU)LS1^DunL>Tt7`1(8I$#sf^=-a!;pkl(IOw{|Kju+<{Q%pwT7W-m)fq<S5Ml}-p7
zxMF%}%TI!Bk40Vf;R%$B$WH%|*kIWY4_mf5$vS)aorq~&?T%#6;9|p{D$*+W`)SLR
zNT@x`O%31;w;vyulKt>f=lT)KH($HdaG&kDz%>j-|JDvbCjjqKK2|V2CiJe@mVg}i
z8yCtvcP}b?7ti@1Ay5_c1Ozjjbg0^&S<4$nw|P>j8vH52k?4KSA`}ySjuARl7~$>P
z!`{%02=V{=`%3xP8Pps1koLg=@R>Fos4^-p^ZPQ=%qbM__g7vQOXHvqUh(wgzptAI
zqJ23AMmBTA@0+Qa|6Mm(WN<`(<HcZx+hEbbzw*qF|NnK<%V#(A_BQ2qSxLv^P7b2*
z7T(Ar{+l7Zuy(q4aXpWnjy>(%q8nQp8?R?7Z(KI|S1UzNm!tlev+2z%dxzbk<S$6z
zZ6yd5b9=LQi`*%?w77<bhaX-lVKuV#;{GwQ?R!)oqE9Y80pIiYUFECoG$D`C$A5Z(
zO8WLNtDw<k%}SKSbXDoyCg<%LJJ9z2A43u4Hog{32y(e(MM6uCer1OJ#+-#zdU8`#
zD0sn33lyIM(mwyaK%0sI2Cr!0O%2*^X;K7r4I`#EJ|#>F*h(Sp3nu9MbpGJf)5cu}
zEJ`_^=UG?CWG+lIv>y*IIwcO~w7&2af|Xofbq(_S8GEc}2~92)Z@Xlkvr6HDVzsQl
z+=ImsSQhrxLp+LYEQgeUE+?x?T@x;@jeMmS87YTPg>{pwc}EdWlSE$R-Zv^5PiU`v
zYb!4|XVJ@W1DRo#lcAxR{mN)b+O}Kt9SpJHFoN=%341_s1)oFaK)YwoqMno$M+;4?
zFc;hl{6;F&L+_^adzDR9`-Yn<ylI~iSN?D=)OIGn{!sVuP4NQ$&ivIjY=pBsYor$S
z5<S4F#9m+(+*U*rSQaQGZ@f|-OZzoY-%!`EX<}2zspN4ki$bqSqo>u!pjTxf^{};d
zRlz}c)ATmh8Qq4+)f{|<&KXtBx__B7_x$%fseOyKB}fk5)DirQ1e=B;_PTArY#}9O
zX#YX&Yqocvb+(U}7Y`#^-4Qf8vt9H+h7K#r9v)5t8dRX1cnB5hY_hKZiFoSuYWGUD
zp%hUZ0BbpjQs<Fkf2jM6^;$r~8-Au@tJlWcJE-oG<04M~jAuA=x-|egY@*=DlE1LO
z$TcLiz-C3{KUdk<?j$`8STh_6j;emmSTEIJ=W+C$7K}6}6@p<CPF{R6zL=5fyEo|%
z!2u<LH1zsmRj|YPwm}tRiFy$EQ&$b_PDx}&Q)_~RF-bkvM0~o)_P#E;AWiP}gb&rs
z?PkZ4g+yoXgHsv-Zod75<xu)|CUHvI0X@8dENVgfo!J%HE9D>5-z=#b?N6>}D5oC&
z6z184mE9CtFD^{B6s9<$*(oVK1N_N+nfSxW`E8+z$36mP?@)776b1fdwZu%qM~&PJ
zOi@lX0~FgGr{g!{_Jb(M1^8{>eh5N{Ol!tIt>$&?jdZnNxC{@MdrrauKsp)^zVmoA
z8Ha1{wldCN7gqmlSEAnAo5a6QLI@;e0QF1u)?oBU?idPBB{uVyz8?^^wfQx0{5+;V
z;XBAYas$C}0&l85Ubj-EZW&a4!zOww!LtpIi9wayTrL`B`AK<fEb9fd&$Z|RKJl3!
zQJD=C2aPf;+ar=Rky+v4>$p1;zM+Kh?|Kx~W`GhmtnotP>9K35oT#pPD0?+KjR^N3
z6J<oWBV0`hbVj<egc>&8eN`Ki9IrV9SDRm3%J>Dr@<;X>s%iz=8`$?1txkJ7F1$^d
zDJ%5iHJN&>S^LFo<r;5hGs`c%=Xs3vw6{)*TL%@M&-%O4XHkMC;^I(u@H3qXsh)|@
zcuqV^Hbq?u@>2gjsBviMk2>SwM7A;!0A0mYtJeS_2F3=UfDy}c_Nw()!HkNXaTWuX
zkYy;`;f6OnLF;Hj9Bp)muDhyIOrmEzfxL1!<0h8*s99ZS2`59VKB>*%hi4tVWyb0V
z{NqK1)rtvAY*BLpxR|su-@2!%k91jd=za{S+@Unv?$YSE3R$928oAbUsgHL1C3r|X
zsf!;=lR=yQcmZxI{J{99T#Gv;mbSW<a~AV)5YdWVVMmX77&Ch1aO0wFbgQdid{(qU
zY*SAr%oxeHu-Ka#w?pZ{pJ!xY)uKKe!@%UhNkwt=E6l3hgi{SE3H6Axm&$w8A{83F
z6H2|Q6vj78cTO~C8+Emuem?r+_M#;?^vXT`;9+nIA73;=jh6F5?TQIl0i{)%<jvT>
zF8CTN%D<4=%G8^<KHp#3T@YNMgfEC*K8XsWf#eq>Rspcvs>6CqMz|N05o^lzz}M!f
zNjw9V=&uc-TZm!Xco@M2dvZ$89X>+~yUA~JTB9311ak!5vtKP*7UVCCDET`@4wf}E
zRwdF+J<U5hQ$c+Z!3KpnQ)J)g{E7WTi2S)mD`Z&?M_TIg*z<l&W^GX#jI?ztg~qo(
zBeISr0H+wgSbkB@SI|AZ0L%7qZXA~pdW3GbL;Xvu>avTkQ}!JC(tPVPMI>?{hiLZ4
zj93D!Bp`mt*=E>vsf<{%n=)bbFxP@;-lnUEB2XSJ+-qdE;Z1F2DYG}rzkt^>OxDH}
zZV8gf372~*25X<xiBnjvky4vX1UE|ECZaAAeUTAwzEAY|iMsH!9jPf?&nw|q)|h={
z%o{A)lQ|xJrz7)1TM4I>-yrCf91e{YM<^{%+RwIjkO1VSLXtG_)e9_+?*qvP{TJCo
zHb1%F7bY)*$ZW$6@VT=O=6-|_^lj)L;>lo6?6_IhR8+%wdF;%bH=Laxn^VHY?99Up
z$22?6M~Q9PJ%+9qI+fV(rwhH5J~M7@u$JZtbZT3hKB6Rf4y4*54i&#7G@^8$i0ZM}
zxmm;22&p!K_Bs(WJ~5O-E83VzML^iMQx@_;nXmZctC9p)db)e~(u7;f*taHMkJx5Y
zrmJ=}lt_phql4Dm^`Thcid85Sk#}i6_kO*taVjp&g8jN8j6hhMs-#)P?V`bpQze<;
z>6t}pr&}*&iUnc-+ywM2x}B|j41*F(W?EYnRw1U`47k>?3RgiD1Bfiovw&M(zCMp%
za3CR2RN%68*Bvkz0&aRa#Tn2p$7kdW$-JhUECVl$$ROF&(f*dOyXoT>cl*~KfcK?C
z@`n$m_N{97X<~`|Ie((Dqp-LhEY?2DebL`O@@Q)2@=;E0<qDHW<7Xt|T3(Cw+wv5s
zi*_{S=2P>v?<hUH?r8Bf=q0p>M{l|X#0nQXJ3wjpugg7e{>pDU$8Uk(vK_q23bQ>E
zmXYwf*aSDmsa(XqKl>*0d1HS=Ai-h1&w|>I5tc-t$qH0xR7W0u!&@gN<b2ZDnB10`
zu%F0(SaBu02cad=t~Kt=Ip9t!Qo3lidPaV5gk)H4ARatkIS|Ug^`2R755>EDw?{`l
zndmw1DDCd42V^W4aO$rUrD(Vx!J>$hSP;Cbu>&hDK~v(Kel6U~b>L&m;ZwJ5e=90V
z2NUcY)N>wY3mL*k-Tb1@9|I-sc@l=ZcVTKP;zX#&0otd;XQ19YCJcSG3mWLCO4-8a
zV`w|x?LNUp><*l^hO^tx$)PNp1ErnY!%+%au)|z}8p=Vs4;n#{Zr&I1sP@<_#%l+b
z83mlu*bftzrWWpd6$u=Qvs!=yQ;RRXH>|o-WDvcc5d>mZGr4LnZ>%H-Vc=YZ>S@<M
zCw5tdVxF>p*ToV&L?n%Y=pZS4-#pJ#WdQFhK=#-BM5iZIG*lp6{1h6uYS=~mtrL!$
z3lyzVHdXg8oo4NZ>;VseUk|Wba8(lUJrZZLF!g_tOcj-iPHWc1p%U}98?N3pcT6+o
zwsN$}G%TaRoTzS>35%m2hG2q}RIpjOb?V*BYVY5`-5-AfzO-e2QwU~FA^67jvjQwu
zMAN;pEgu6rn9v5$iN-lLo=!F4B19Q`JmwF((hNH-#r7q1NG7I1Gj+Uxon-0oupyw{
zvZqk?dVuKhuP~cQE{-0Ch?FP6c{_CE(p$WttBGZ|kHyY#E{UL+hu%uKv-}AX*)CN@
zo*Vv|Wor{WW#-Vq>tC#}bX1PYaZsGQ1k<h%DvdD0Y|?Y6m#`%kuj-ia-tB|f8#Coo
zmE^t%?_AWd7$DdL)%sRoN<}ash!b3|0c5A}K;)QW9HR&9!*59UNpA9>C_9}j6!-g)
zu7<R<+ksxw$!yxYQ>NKg%Y;Z*xk8aF<MG`!BH$}tH|A?uv+G3-wAi4AL=aT@pZXFv
zD0s~u9E2t`p86jsdx5b%*<5Vq+Yi%jo;2_b@{)Hoo*6|5o^J?Y#TA@hPV^HSHzI5d
z&TWX5INDx1>;@n2A&v!S`JGqmgTGMvT@6AE?RI9SG=M1^+rZBZmt<|C^<Qo%_hP<;
zw9&4j2Z(SCN=W68OeFF2RY4o>!S=C+t|P~=@s2P#7qHOAXK2Sni61C?gUL2`q-)x6
zvlok8C+Y>dpYGMXJu@ybZ(SRXdZRHy(#hD%--}OCeAvA5<y6U(urcj6yeKn;Ky@#M
zetTa&ao{GHhZ0Oo)R^qH>x@b&*`eDMISNi=-9qSEFq3m3%=&NOu&f;{Vf%&p*Pkj)
zZxqTeKi_U=Z@Jz{V6`DYdfVTM>Sd!tE15|C&2;YdHNNy#PGV!knCPsN@PshhhJ=u4
zf~qEM$ukIm<m+eBwpv*VQOvFz%dWj|QhusQht#NHFkNJ&+;WZQ1uBK2=c(56NL%KX
zjnE%?GI*#hi*r%t`6mdw!SWlz{{&)F^L`V))E^;LDE>#7ps^aG=003(`(J)|?~vAW
z`YO+4{)Y1wHK#k;16oe`F$}ud)$v&PH@T$xTa?{iHlkR_E{-NHn0}p1NH|?*Gyi#q
z*V*r^3sGY{Hgf4b>sUsf002Pr)@&gr25~hS8vieqouWP?-G7%J{(mF0Bftyzzm22U
zjf?s#`rhM<ZfN{{743sJjep)6WArQW73p8u{sb+u{|G^hiUl7J-@lR`oA!kDZ!Dbs
zA{F%PuiS6`FF&$Y9!Inek_!?#EhBEcxNfyT&<Z0*BthVHx7GDb4HUuhxMXD%hknfn
z(7s2hLV?<^P=1KJn)1pS_IctHfgPRu1<&UV&*PP9+JQnh>oo*L_-2q*W4G`-8KqF5
z$i-aHgmpna(s%b{VO%atQ7;iykYX92v##L2yX%;DEByJemMIz5dU>)i6*E5zZ61XH
ziUq8Kc)g|%-!u+~fET8MRBZbCryGT6^F0rzl7?(fQ!a**o)j_WHM(r>EL2-yAF4eW
zqi(ca_D+!mq>j06bU&ts)~1D;L|{5{QPLBCyvB8yR0>XtnA~gYaWe9VVZ>_4Dg!pU
zG@n#>9!OO#jTI`0CJN7ZURw^mQrC&Uy2&9ioWk&Q-rYI8DTCs!v6Nh``H~o4^atO%
zLC(k~-Zk>SRAKTgt$YKqz)FajJ%W*&VcbLaS^0DF*A;U-g8H1>zG_w3d!sodC?<}6
zV~sBn-r4gK8kvNhV02{0vH0X`vB&aPFczl_-(UvZOB7B!OA+pM)+X0@HiER!h&k-s
zDVxIYL?Tma&(cs2;PyUWj<%2<H4c%8BMeI);;X27X`IohA@*B@%JNzgWi@31C+fNd
zZqsdW%zQTHY3Gz9-#`PpTmr_sPHz<H-V{Bb9@7Deu3Nae9JG`tY{ER2`$LsP*e9y8
zl!6C<&Rjr`?#EDZo+*a?=A{8Qx#XLE-#FsgUX+G28S@UA#Kg}Q!{JT|{?fg~tHUH*
z;=La!d^RsdQI;E$?Zw&4abOH;W-^w(ZtuJZZ^~Qy(?lVwMzZIPQI#D7?wz7E_Sc(G
zvO@M6C!$%qo9QIV=RU?${Cycs99$;175Gejr_GVX6W>tk4;~lxCvNZ4y0zD*=s5;o
zxt;ch4%A5LC*O?wQtmM)kJUB^0Y>^A3{SUCh;c#_c=T+#*yG(jw_3{1YV58urb1Dg
z*o>>Pg^!4zczPV}RL-g^B~l*~TdM^h+-N67>sv_w^bq>YM=8&LXBk*|ZtFnKYiL1f
zWqrRWKIm5u&jeXkSu#x}nI;d9(@r~5`l%*TT*!5of7nZB88L7s2XTj~8TIDE=gKam
z`>oA`fC45q=8L&Rqw(l2;qx?U`bc`zta5u;R@7j#JOpZV6z^ZUb$2rQyt+5w!Nmb@
z_8F@!O60W>zdqjD%Bl`U&YphgzZ{F(KR@@}&Zu3ZH((hkEORQn8OW=g2kD{u=JE#M
z#<L7F)~Jhx_7qNzdj8LgI`(No+!u3)I{Tb`Azgk~oONcfqs4(0ZKtIc&gko!h9gvr
zZa+X0Ww4>G<}80j314W>X+I~+x|y#Fa5gyDxhTlU;OC5QK%w%fn~(ILk&AVzgl}JM
z6%{3m%zGN_gveL<+?u&^Ag)Rh8*gUb5?kx>?ql4VZtWpigBqWTFb@qoK&+gIMBL3!
z`Z7p8nYm<qzsSxc9+6qsHP$R`Rfay>1ycVqS^A>w9Bi+=@4J~XHkL6(tH--Ny)J*%
zc<Pg9!(LeDxxK~8uU=Xr$PK8C@5ndCG9C&b83-L{s4Tx2uX04NUFsILt?|U(G&Yvh
z)Le-bKHp+l)IRb_>E*aF-W*r*_*5vg<=y)A;k;8&5kdDWdp=LX2_G}<>D$>nxwA)R
z{>mY7lxb2^3}>x5;W5^AmGrHyt-7B^@b_=)AR66yhMYt@CdA;`w(jdH-9V*!<IXD$
z4bKCpPHEn({@Q)M*&~DJa-l0bnP)yJb5VN2)`eT^#ze!F0$w7EJ{}o;2y#tc1a3F3
z(xKl&`sslkaO)V~YGDopZe!9<y$>{-&*q9Edus?u;3mD?ixfiaMp++hxk8rsCssay
zC+d0P=NJiRa)&^dIjD?|-1i&kS(b~QWpmJe#p?aMdZ)3IzQ%wmgQbKH<zB)d!DRf7
z2OAio);+?gxx77;vg?6~|Ah&k{j1J0k)uY3&+z^ydBB*m+2o_Wnxv#P+6LpVyk%EK
z?-T|F_l-U6&R0oLol<2M%?&IyC%(t!7Zhk`LsEo>T7r<<prqc(lEA~C^Y85m4>hEb
ze6WVM-<_kl*x~c0TzfxcbU0?iES#tA?F*HWBrstu{_>gSHl&qwh>=myV}iax&bn!4
z<f`f2T(@c%y*nz8FtIpDke;|7%m$3mi$fc*UB@^#ty*js?YO35I=>klqyzO6?e}>f
z>y0O++aJ6Cx=|@YcPC>*%YerIjoWpL6E3b*Fg<O}Dl30bZw+iIvD498T6>%HJSfdV
zdH7rmq3jmEQ_LHrdzsl9QFzbsv1@-#(b&A+hm<FbxSqnvR@u3nqL2XQ7@GCP51&9Q
z!pUWg3&Uj7mY|hbb&m#skTI=SIdMt8$4z?@?InY@pgP>In~XuDe=_2NCXh^nnS2qo
z4xqoyRQg0qB4~z4SDJ|i8jr^27u9_^T{>4H6y5fW>N+i4ne0)sXv|3U+%q`c8x7@5
zbcfguij>EVg%ysqgeT6tvJ-u8fp+$10_4S_pxXnowRL>On>O&#>O^z7{cV5q)ceI@
zrQTX*&bWa`wE3MsfC874Mbr>I<oHmJ(`*(r#Ix44F(Za0FCFwmVnTP3J8m92+&auw
zx|%>Nw|Ge4=vRs_E+eLX;gPE+BGPYIu?O`AU6LSNgiSmfvQmorKN1XqS6`W<$&__i
z;dpR4@Jq~#+gDSL`4NOul4tJjJq>;Pq7u@a%XTN0Vev@t!bQ7IN=)d%O&Kk<hMV_m
zs~P{I8{)a)v7G&@MQzU!H{fmykgc%Gw2{_T!+wWhOw?HpG9M6hSeY7K=ppr_0h~N}
z?dYyP7RHz9`&^*XVn=nhR!r{_-SY_Wf`$g?&8#k)x`znIvEEyYqOLW1`||=J*236{
z_m{3344Nc`;>d>noI_Ai{*?*loJ?}!b?^jH?cP-qEnM<)WrNewaK4uN=2u)*l)I4*
zvfl1oEa-afQfyj%l+&+J4Yt3<oi=qzylR{{``1p?R-$ax%j6p`HU%i7u)$Nuh%*_B
z^9R@GR<;Q=>m}OfVW``u6`_7bY&QmOC&8T#9FvT`DNm?@{HDqHw5LPh!&h6ap3Y{o
zE0=k4BWtL~$AmA*aEbXmOz3{70n#DiuGb>2Tq4NAaJ(x9XLp;k@x~XwOlVsU5#&`!
zo-)1LLCdLoK%%oCLX=WUjqTV?`GzD?sK7*S+8DvT2}CYWp_gV8Pq%T8&Iy8;Msfwt
zf}0L^=AQGyoynjvk53)}r<?dZv^8}Kk17Y|oI?<(zO7+)S54zr>6LX)Lcs2){h3Si
z*js40?7m^dx?LapicoX5?YvQZb31}aFncr<-^tq-)unOK{Nq;5--L7i!rwN6iOJLD
z8Bfr4&DwLr+nz^jp!Lhmxz3}TXqy6qc#X-wri|ZxYp*0rELYa`xqP#DCB!5Z8rdFc
zgc;Y?$7<6MsjE2)Po!Cwsh}Nbczp9YcR$hfbRu+pr&6KY&Ea6DYjkdh+4I*1Ma9*)
z>BTD;KJXaGS9Wvr<F*qP0(3v}?31P5)MRjX3d+1WG}yCKI7~yGKFeuyOA`;BU(buc
z%HEy-jF2m&SnSk4O)1iQP3p9Lp>yaFVWZ<bEsL{Y62uRdpFMw9N^7!xyH=go$hEIo
zJs(Bws#S5u#PP^jhgQ*Kpe<xJ_P&Ne`0SDP>j)^ogJn-IwGd5eI{-94ry^I6?z$ab
zE?tzZJ^Xc2@Dd}b|KE68A&lVZniSAx*4^{-YW-B+KtiWC$F-sJIBiq&zahC7qcqNs
z+vBaNozC%O8e!yc!qo9=3?iccGnoGWnEWIDd=g{J=f9W;oZB4myg42pk4~9<l_Se?
zLc+fNjZc;Cx9kujbGbNJ93CFF)RFQ1P=FA_7fd4@`=e(DtwfPKWtW$i6%`d{4Xm7`
zvK1eyQ`B-urU(Bf25b6;ha>LxdHgI$*Up($Qr-H-$NQ(I$E&ckqT&@0i0C+9ex*^J
z@^S*t$`t#L2(9Vc*~#~;z}3#L`^R$#;bKAm_AjMzwBP<wqSg|CLHa)u%8@d{`^jIW
zI-}aweZDtGNkOq?L&swj&Z%mq1oh6zVV;ORJ^c*KyZ1L?nNP1yLqh`@^8A(gtg6fj
z-gI$MWg}a*lHMBOjXPp;g_I(@9)+;|I7^B1SYUb_*I0I+I089gG<gJ>vQSxH4P@!Y
zsoO5Ujdd%xt!}iptQVOqIL}hj7^hPZ6>&!>@fJ%wREwOo>AS-IWE1D`erkNPYWsL%
zcD=&K!-l27DV9=dG(B|fOxYvA8se#>h9FB!LcApQ3)Gz2B?hKdT|WA%q@ZxA#c=kL
z{9ats?o4ItI+ll)ProeAiY9Hna80lwFAHIvxvA^=7rY3}EQb&{WM@2y3F}NW5+Zfq
zse3F1jNx1t;V`Jnk=rUoBILKUD~)rqwv(~hd&;<Ify>(9)Rpb07&p_*(UHFk_o{#6
zcr5AM3HKU_c3Q0@E%KLdau<Ad>6LI2MCqsspp#0Zl55X;!y}}VN6A1omGqpvSa2=Y
za=>~{AMlCDZz<u8KNZdktfu9tWFLhh4cB;r?|gH(w9uvPTtytnmt89d0NpQl7sv8E
z&K4m>oEHzA1|II-=v|I4e@?>tc6(n2&n*BaDUzTI(<HS2<hxT0p4QsNF9h3>Ly?j{
zNh{6j2qe6BNFz?O!IfvSBhUP44Oi}FSUflJa}s|IJ+}Lu3hD#*XX0xd#4;?fJJV^Y
z&Od(dqAr~3Ej29NoaD2w?N!ngnklGB{;AM2Jtc`a>+g%HhBrJhQB1L$iE4NZK{yT0
zMzoIib?dW(*rv|nHnEv)CJm-K#2+FexEhN==JlFlK|yMLFu!fcw#Quq&`$Ofb?hdY
zf#w%aG)xkOs!y0>^>W<I$_(rkj<2!HzNyBBs!Jqo!YSpZ@4%U9<5xM}Y9ZAuS}O{#
zpQJv{-_XwBdtAg)Qg$_;mQndE=S3tl#Y-)k&bOq+Jgn129R22Zk6QDp6{~NrwB}6E
z9aC53wExjrFS{Nt)^!(L`;7D<X`I(aDp)K;&hrH+Rom1f0SJno2T0X?7JJ6zClU#T
zwiR7}a#2kRYd6`)T<^C9>c<9!2&T;yZ#;X2-C`T3->V*~MjEQ4o{&TL15(K>z=&D}
zaD2d;Y2lu7v^<`!)KMUBG+4|mvyN92_gp<otUxDiGQ2<xYzj50e34^0E_R+*rA4#7
zCzPdDkRmIwuv1Bm?JIPITBSsOHj(3j%VJ!+e&X1;0%30PylE*b=40jcPcBzo0u#<1
zTR}3q6Ui5nQ5)Ssj}tc+DHwW2(YA^g9MjIVvR3A+uoXxs2#l4JV$<hf37+u(N$T*5
zKh&h$dF->1cJ09$YooPsbOlK7(XK^hfTo&ve(ba(|Fi;Nq2(~phNzsId@#;S-cLAP
zkmLb1l;A}Sj=)JvTo{dhn&yX(ZE8yoEg#dSn#Eb`cf6?on!a9qGX3#k1h?`;WV+kp
zgPb@>Q{M~|_C!91vWt8)m0<x5RH2h^tbcBL$FZ1!4EzCfWt6EGZ`Bnx(LiICtiwNn
zvSe>mJ|@y#jy}~c72n9zlC)vXlZ|<pCR75t@-SQ1AWX{T8vhizFN-1BOCHHAqP4Uc
zmuRrJ11-zHri%2vp@09v^CRUHY#7QPEw6N`OL)oZMUwY{j3HcIjV@o)KFMtNt6||*
z+*esDt+7{ZCok*X%TA|kf6q6|3N$}h8c!f<X@)JMi;?m{hd;thH2}rS@?ws%=*ihf
z<(VFxD17-#B{Lx<<4X5~QH{@L&V8RB5y}c3Z@b$nMzgo{*(ms#%^eTnAdi1<ue!y)
zwL<q}%NpCFZuwf(?(NU0ZA&v);iGr0i7>Ma8U4z)#_h<I`Dlv5^dDV;z8-O80xq@H
z)ZseZ(UH56JLr}!k%Rk7S59R5Wj*y|#Wg{6)q@N%_gHgyqJa96rb;eH9T9Nmlt#eD
z+EkB5=0QZVDk*7xY&3xmyb@^T@Q%aD<2(3Ec1N9Jb#AF3C5Ov986@R)X<t{a?EP2)
zV}OMeoX#<bnh7f;sK2M2fqYVdkxuXhx#{a4OF5eMM{Rea<1Fo?J4l#8nUt|K3>qYI
zieq1`86{X)pGXGVeV6S}2)tsd8?)YEB<%$6UBG2wF7kZTGhMxw>(*8f!O4g<DCXQl
zo(cI5gG`G;^o*V>2OArzuunx_N@f=G!la1fdxOt`WwPUUUIApt$CA=P`t5gIM&6lv
z<~N5K)KFBQhy0L9*q0=|j}bhqA0bNtoVw%=<L!Csm#67sH+AC<D^Y@9mao(GFIfxB
zg7jj`dDJsFWa)FdSwC{KlXt)HodY*xOM%K)Ki5%^5vgvN?bxdhdwfxLOk>S$4!aCC
zsL(Uwhc_J@6sM>epldHVcrb^^;bMF8Tqi?0(d`jyT=I%P7)^2tJL~pxC15Mli|?32
zl4A&R2sG+$avek|J4)@KKOsTJBf$x;FLFcRrH1+KhNV-Jeo5mua}?c?Hq+6(?5a9l
z*21v#FaV?xe~h4v*P55)ie?Y&!aM2*o+&B&@Om`AJ0XN=dkwi7nEg(`F7pd1g_f>Q
z_~Vh<M`Gb81c4JA0#Pm1zZCOU?of`8t?M10zR-R5s5BWEPUxzJM>%#HdljVg#q~`O
zV;?;*!va>|FqRt>A)RL*s9`yqolwe9>Jg=9JKT_<w$okXBWo$9{pF%xOc^=Gpd6s4
z_LAZoM`;2$^~w;l1PN}klKyb#OT7<z^uI-qew4GW%hVe!$k9EA??PAWqOt?Sn%BJ>
zMtW<hJnoh&u2w~MabLH?(e?<*b`T{pJgjQRJjbpv5f1J)EWLiJ;-lsv&qt}lqp~#<
zG?&{QX(cFxu|vqLYDx)ZXCY%HHP+*KE~Gg7%`9sAY*qQQ5CKEq_-9b*P?=Goe}!SV
zE&^r0IBm)IG`h1OkA~sZQ}b`9g?G_&9cOA}u=oA?@`mYNy_LSARYjrD{&hf(qMGL&
zIrvW=Zstkb&5-p{ktp|7!YsG^x3}?O%xiiy?A7V~sz#3sW21Qq@m1`OjmW6TOPtln
zj0rW^3R&HP0h}KZs+co7foDk6QWZc(&FDUEn(NMMa$8K73J3$1goMQ6^RHG$cYZ!c
zqZ6)}edj|-r`37}_Q~7ewY@0}8WI5#2k#piGv;f_U^GiDRtn)?ibqXH5!{{WyL%Uo
z;pMYb@&fCOx&ejv21D3m%_?+7#Ci0iWWL+}e0_`Cr|csT_4srG!44hC12mix1-i@O
zj7nX9mB-kyXT-eMbvJCJP_udvEnNQ==U@be6O@1dgRgUb;8e*!K)b>B0*n1mQI=Tc
zGjh|1f5EVOe0==+y6$>HsWK{WRw)vVsO4Y(e$&{@%*@KFPpLdgl{E?(Ae%Jk_qQ7E
z|3cI+c=0nA^L45W|0|;ow)zvtL`NIX$g)J5qj0nb@vO4n{U%I|(f@jRn+)LKA^J&P
z9INQizS4hd@t&TkySw|BFJG*!tzio3EIIFUPbp2`FqNlK{54nbx1LA*MFj;`R#ul<
zwTx<LdbbKHaYldOZ@r*n!s@CKUOeipj?8at&mKi1_}@&&oUyfaVeo#Z#fJjbJtmgV
z;*@_24#g_tl9En~&cuSEoc?j`A070+q4b16&CB_ESM(4>5rQ+>j(k~m%>Z1lUaeB7
zpg8gVra;<R3|1Ex^~q5D<`iFrTw@4+goYwBdF2!Z*~p!_+%p?J9h;R%wVqmiNKM{T
zN;yN$yhii(03sPVF>nGhwp9t;jonFiH?PTd9DGC1F2sXsQbOm&AfzRwwX9co?R_y1
z+|13p2Utp^esh#HqJdhJ_MnHtQ5{fhTkUyr^zv}yEUt+=NUCp}XTs@`U<3iLi(4ny
ze@7(-`T`!3Q>G$ri=H`6^V4>Kh4NLsORM(nXC$^MiqfJBjHo3X>L`LPcRd55y*;5+
ztj?rPbbgGGW|@2HAyU;oZE36zmr=&=Al9}TU8-Dw_FRv?*RFqu+!nfRAJ+8WZSnL?
zzuWNEM-h$rFzZ&L0N`jsD&LD5YnriQCE1O8GU{F5{9l6SH#f15`!h0@o+2TcBY1D*
zU03}i{iVz!BSI3?>MSF57fhFctUJDr4LL6e*81lQMY#e)W%%hvAQ(p3rwe(?V?yaG
zv8qB@+&_1{+;iz~s!mSG`Q^sdX4FMW@)C}&@=tbc1Vv$**=!+Ey%Cc7Z=MqJBkDtf
z<^35*#-CKj7tKg|WKMUB`>zONcy${83p%Cicw)~Pq9i@D@hpj;U6nU&yszaUs=Sg&
zq1S>s>@ya%;b!p|fz+eh%QsxBWtVo+dTbf*hW)i%8t`dRHRcPoAK=`ZI4{~#w_@G6
zL~`G$1%Eix_QZM<`cb=a3=`?7&)cu6gI8gcAU6T$dp0(G$2`h-d0Bf^Nr^{YKg{Y`
z{li;9Yehm|_avdtJ{CB~NU)NFPcgX)n<6HLxfws)3%`@KL13^0EM{^CKz<aqg?1bA
zfH2|D4{Q$hJo5KCs%1Fwg?4gTvRUp)5ipM$@n59-Fv1*~6$B|D(?phlX$Xux#qWJd
zKe*wsdcp_S-0esjXa-hBJD}9OnLCF_TY?21yt0hQ`oPGmR`J5Z<W26UZxy=GOeoIV
z_GLqLyya9WI#~Dppq6WJ)sEXMh7q{wc5vpa&P#P`RZNW2vj2$b=zXYY#a8wXU54w3
z?k`8M-3hA}5G>xf(;oi*(E+(uNylNaPjqzXXU1a&;lSr?q@Smx->r6nH^uNsDsT(s
z54q#0>O-b|mJat-n4zy;?W|r1>X_$s!_8qq5!SCLX%Px?p<<R%&rc^M^&9HChE_kT
zssA{F#zXZVqSxp5u4n~EMV1s}CI=`^KpRXN@ZK)3pZz`*e$CcY>U6f$#2WCTMo~~!
z|73XR`*PS_Ph|?cc0uSRyhes@OmFxZDGLW1WwtZb7NEToe9xrEu}QRVjcHwjprLFW
z-cyCw7fG&WINWlPZ4P}Hc6lX@kG75_mF$KBWl4`rU#6PNQzLy#VvN)f2$X<;m>8+W
z07)U(0gyaM3Mcp`#&n<GmHNT=4!Wj#_2$5u82@{8o}v4E@Ru@0Wef7b@_>7pZjUIn
zWW2Js<kw=bL-aDYV%aEP)|2&a|NO*Hrn%0SX0kO+Ga*X&IX;-8G|)5W+|{!D5sZ{&
zR0L2I)FH(vu254qXFmREZ2Nt6GI_fl4=L}NTpI;J8DivJ2YN@=mMK46?6mU^8p*t7
z!qV>^x!|I;+IO%RwxBY^Vgl3qJ2cZPYu-IlsP_IngN0StBVNlrF9&5gM!W#a$E%Tj
z#EV%(4;&<@*Cw8mXA3jR;mQ(j#SQgn#T^-bpl+R-=YDmey#K@9eB1JApfII`N$-|1
zhD1^(k&cPwr>TpsZ?tlA+Co5NAMNwVlH;;*zT{=N#}A#*S~?A%he3xH;uv1&SOJGv
z(Rd;Fld0)Tx3|Rwe|QNa70MtJRC0T0C(+da1eeLwU}Iz_1!@XhLrk85vOm;Dcz>#m
z^FjxP1}|yk0G~vkzfXCFZf`cddIMUX>WgxzUKSBq>?+_u!tm~)*U2OsL<A-j<1Y9P
zh8Lv0+xK@r(fp0U{P@@2{-2!5+S(cn2D|=`92MIC{U?5Zd}3mKZS94r^|I^nhbYyT
zW3sCr>KTfr5`XuYZHPbO;N;|#n-!j6MBlC|c!>@-y$}8`#?k)06dzp%@ccJI{3!!S
z`M>RE`~M0RUVA6&z}qht7ClNk@o12_3W!E~W|lvGGZkON?ZOrfL9l{!@tkp+RBSW>
zng1J0rMRC>U0+{MPiwm(qGIl6phIy3x&Q3#&CF!J8Uu&a|7UlvF*S|eF_vPpj6970
zpMeVk8E>4%VppI42Q~a}@a>;E6z$|)&-Vxk2~YXM;!3;7a?7*eO{1fc7QI(jH7RP}
z{`A62^@ps)#Kg55jmjerW~XYwpWNJL`7^Zahne9`Ek@{?8OP><2B5p3;$zLHyTIRJ
zx6wHA?C;!W{t<>pL#S<&D^3mC$lp8r0-i)!Z7+n+Tc}}G3_waj80DD@##S6rLXG5V
zNyVGkBW5#3WheJ<pDqWZqkpnOv9qWF-AY2sf*j+gI<;>rKiY@pQ1;&J1)<|}uR4`p
zS~q-KP*G9wP!AB1#Sv$;MV{>*TzY}VQ+*;ZJs&XnQ=`L`Ct`6E`dl;lTM?sHvLWz#
zS)BWoW5%wv$XOBQ9K;W`tZxfKQ=AyuBP+%QoOT6CKMEqvo;=&>dLxU|>n2isp2a!y
z1eTUV{iRv=Y2Q12&gDdU^s<`>t7B~}a25gI*&D%w<IbjoW>ZO^n4hWmg~n)?;Zs@>
z-sVpV_Qds|nC|Jjp8>`GQl}sH8iuJdRYKyDcE~Uao{>+=wQDGwy_Y$k85~vbxV4*Z
zeVx@60>#8@n{#+u>#5Oj>a1sSXR%TI!yVAiH@J*gS10|A{ov!#hc*TeMG$%LT@bPA
z9+kRbxL(k%7Oz$3NYoEQp_)|n%6-AtnMayXeB{o%q8We(=f)!~2e+A0$*Dkfsr{q~
z!w(>zrK+5pT+H&MGyJ8=$0s$GI&j8Pd{FCNnL}a^elAOeOdLs8HzZ|G(K3CzNTl(b
znf9da>z^m}EF2>49eoj>4MQn9(Dei7>}8{U8hvAON=lp;S5_tOStzMA);wZq$6w(O
zD}FIA_9?Ep_o|kna7NNPb2`vWjSX*9VXwsqj%T3QbkcHEbO?K-IPmkBTR>lKBUt_8
zV5!51W%krqZ&ZLnx1LVR_75FpJ!itQ06+Y%TgIla-8J#2BqHDJC}AL%@QfL#A(>H3
zx9<6Jee3BcN5BlA{(YrKC7znSYkilWpcC_1=|cx3cdtzi!gtQ#*uV<y#l=3();e+4
zag5G`>A-hN=fVQN2cp;9_kaiOD$+??#F<iKcFUp91ZZ|18mlYyfB5`8I*DCRQtxyL
zkI~+6QHjPC;7=kGoJA?qC{1|t%h%VEGg~fV&eX-v-=&xFntp<>G8$c<ujgF7L&eaU
zUc>f;2CAR9>wNKsuP84B9=Ht5<J${yJl{-%P#)z;C+W}mVk3W=pHIPy&Bi{}R$Jaq
zL9Wb46x-v>8<FiUIob@CA{OSQfh=Sueg(DazSMS%<Xe*uM?T$ZKe+(7wDoSkUWm?l
zMo?rHVN;h^WBT0^Ym`0}f)3(!2}A%plbiv85y#xjD&jVybwsCCaLb^Q*jnqV2_p?2
zjdw+qJ#Bm71VYx_49L%t!zmtNYm$ayEugDa?StAB2)n$|sOGEUiYw!pJgCkTgq`|}
zj?c8vR3H8B*XePH%d@gFZur(1>VAT>py`<$O#OM~1cj7g(Jmvo?V@u#Kkjra!G^pT
zqXf-|B)soLvN)xN%C!1x56ouQ539=k<7GV2TT1duU-8zbI(masd#8qNS?-hb^8>cp
z`mw*$3joKYwF!s7x;%60g~?xGaRIX|Nf|4#@=~0?jHg2q&ZU>UCr)D7=GCnyq}w4R
zW>~}ZskyR#(>aswm#uUh3Vcjf-`iU__>5ZKEid(G@t1*99jSK4vx0Ec+bT{l(bU(P
zef6{F`()AJ^z3)I+p7%z^|t#Ggb;f6=)K3O*7jLZ8HybzZbMlgrY>U>tr<>g%tWg3
z<5i872A&id!>ifkbU9ms-fAkpO07!&V5?W!4U5_iQTyB{qe1MGqQf9B>+P2t;YVtd
z7xi%^K8a60w}LQl)~Q{74DRa^x{D465N~S;KYxMN^*gW8*c3}J`TW=7PN@;SlWzR-
zn~mj;{D_g0V!?}H2l$VmH~^Dv2zBL3o1&7U5Ox2SC6~nF3Y!Aov~9^fx#RYwkbaw*
zvPdeZj1qnb{HqUu@|`66tH8=tiw`@t84?BOF==^6efU1Q4M>V}$!w;n#L)*q?FuHf
zuR<a`3ZkdaUS2h2zYcc~jd<7nRvC0ejn^)2u__rtBc>Lm;?~+jCg*hjJwG8+$a^M3
zmw=JqHp%XZ9HLa99MsISk_pl%ThS$IPnUja!-4<CLvqv7<7HyHTA}oGpCt*lm1+Km
zN+u>fRX1)Wrepq~a(#GU>5JSgUr(#-XWiUmnMjW66=Mol?bnR1zlF^5&trg<3=RZ}
z_q|^pr^TC;_@N#hP0U$r8F5Fu;m;G{9b<;|h##SX$3A`}I)t%W8cAc()$&zG@XZO^
zLj^?*t$0L$@lq-y*0B0#fwEu9Zt^t|XPfZB?aWT_Aq-p|)WJ06o>^Qt`vaES&9$m0
zLR!nI1^&jzlpq)XxbsDCC^h%4z1(V4QMDVDeB99MdonW-g3tng`dqgU@6P3(e8U1*
zK*AkC8yx-=Z#@!?*eg`LYGjI-LIlZ2Mp&F!NRvZr<jL!Y$}!<lEat1`(H}plp~s4|
z+QZx=kA_}&=(mUJWF<HiHTR4h^`AkpKWA>6Z*J)yIOz49kM<q1GDdYq)U0LJ-;<Zo
z5qpxMQ%-TFw}`P;u9>g!ztDCpL3S%Q75$}yD0<kawb;j1hx$vKNcS_4#yk#{biv~?
zYFSA5jMA#-ijN9dg^qBFc#pUQLVhN_j)i+|DLxI3FdRPVCQ2pG%NJYpxHr)`Y!zp|
zY-?1C<7^z`tItbmpV!7DwES9QS9H!dy&1li?pM`QnoN<F1H%?qKjf5%OV?&7f1#Rf
z!MA<!CM*U%9&}|8=#QPIMn9f&Zv0??qPE%3BS6!KE9%?sq<aB+9Pw;X5v=@xEAqMr
zu)dC>=<n2ItTtcW2wtN|9hl9I%8L`JkT?c=s9S9)Ixl|AYlyW@RzH6&X``(tvIGf!
zUsj*KQP|GhJ`O#r*~pS?U0|9Eg-ZS&R{D~9K65T=oO>WzwbqUMT|phm>BvI2(9R<B
zDsE->DT`VeoLu0O2enE#vwkla!X|{e?!Lukz>+O(M12$ZmdNufrmU4)XsuUH$A{H2
zbm)g5LrqMrCfG4XFLvp2L@i~&kL8z#g7jDp%ZY1uesXftyIC3YsPtG%!H+M;_O`{)
zi#|m?x}>PLk0YqiD+y#PAFqGT&;vtfmzEX_oKoghwkE!*CY7{w&t+{f?-Ygcb?Rlh
zm``Rh60#1yCd!maQ&jQKQ6W`HdD=A$-cAe8<%IP*Zn#>8vVAX5z?qHab`aMeAyAr|
zfKt58{{|uvpWDpy*YB5d1za6>B8;xdSCkGc&6Y2pD)C=>ZpLMB8U&N^ex@M%C@fcK
z4EuqEQ~%oV%Mf(^!duN2YsIL6#{gUJT^(YZ51x6o#CYO9<vyAS;rQN80Fs_~uA&fu
zDRN`S>Oz}CS~(J=sXms#J6RC5C!|8BXx1R3xT##i1W6>Q!l>6qi;}dow1bDuFaYKd
zGaN%u^76}fpVY&Us-lRXijsXRnf<Rw##w93a^-94uUL!RdY;7-Xaqf&N%D0|liiiY
z`MPU-2OUX_cW*WHB(W|J4{qO1>Jf=fDEWf5Bj(G7F+HGr&zZA;Rqao5nY9<!kL7ku
zzn~u8L<GQm1Hd>9$f6^8Z92@qY~jf?T?uZQJ;wrIrjE}-`P_sj3#Lg~$)?=_#jbyV
zT#Wl4*=lrM^}mRH{u_VC++J<M?9pLOdo<Lm|K<G|Hg@)cf`ZEcScG|oJy7|dbM7W7
z?tDNX=Nkt~L_$n1S`VnRoR|Gm6z@Mz=>IotEdD>ZcQ_Tlpr{C~*#`Rh`d|TnLb)DT
z>>KDpg+JRo#VW&XwU*Y<wFm_T>_Cf&KOs>o?kD^IUUXnxR#(UNrYyyj^|wh#qR@p5
ze}8Etb*8tkui_BptdJYkje7e}Dv__Otn6lt#<b+<AIkAR3{L-(y7@<ig33cyM6HvJ
zscCkjcW<O*!}|;o1)R*xOkKm=TL#QOwF{}5lKH~I!aF~2-ziAgn(Rk-A0FBvB8}lP
zSue2gW857IhOmLio0HAg%AfShZ%<C#fyySvsXs-?NyxW(Mu@N5_~12B$dcz#RM61B
zKZbIZI(sG-WtHb1pClV4e{8Sk!R6jjIlh%TVyhv7jX{@1uMRmE`xjLPXkhBsJzxA5
zD2#4OI&OCzk<Zk9k&D&%jw&-u5;mHhu>6(S**tKntxkdII8D}<?};=xYV};~z3fp-
zNfG<MOEIR+{*z(?1Hh*{__Rw<g7TN-+2cQ3Uk2al;SIJMxic3<u<_ig2<p8{Glong
zi0vcgw_&12V4)|C7X%$`rSq<G4KY36@2;dN+Loug){vH6kmKEG0*fJfj*EDvgh}~i
z2;pu;BtN0<skkfwaQTgBnRll(?!C(=ZEvZ@EDK({T(NJJnp+iIr9GT_eo5hYO!NaS
zN^lX9o#`|$g@`=fP(i;MmRjn#fL>r<?<L$YIZV1vX}g>l<{j%D%nHwi^Nifa?<r`^
zI|(3!?AA`mC-|77Uwz0HoU2)*!*l0n^{;R%Nyj(IBy;1jEE&uh#G8oV0*>nPd11E}
zlC5{LQ0mXnR*;V5YKmZ_Zlf_Qj0|0@f?tGR!H+KU@UrAjr~gThPFP10yyeDFJ3qx8
z`Ni_|h}(bm*Y4bOezFnvSx3@bLD`)-MeL7SKaA#58g^=J#5sVEVZ{_rNCRqy<d$+R
z!`Tjw)zldDe@cszzegS}ycA$mi@^_ta}l|`=-bZy-9G%7G3^Gw>phiPvB?5sSDwld
z)Kz;erwD<(h@H(AM+zQiDNQ?R>o8bsbbjEf5T@h&J^tgxgs}wunO?9%?0%*}T$O+x
z-S+1WHV#TwHO&bFGGAs4F~XhyjK910x`X-WpUO;9UW>EYq;m(4rqYiVMiE2?u(_va
zv~92hb6whohmN0HX01k1!e_St2nF9e(f6NFRyxz6$#UyJWmH~>XbrXennEEIUTVc`
zw44Hyl4aQDLze*}?SlzeDeOo9GYw$^HO>EH`?@CZs8rjpd%8XEUP-uj^Nwlvc15a6
z%EX6Wa*E#^DP(;k<;Kz`wdB;NT~BwhF}x@P_N(t4{v~>zqZ2qoW_^yuMO}^g)wa2J
zrY`jnaT0dEKl`kfrRk2+<qx|hr{|pFpZGZK8Q1HB=k>L^&QFqBYY@*G?Rn-(z+1-v
zF|St-c0ZVL=9v4}>m~N;=2EG*HyxJPG4toaD{n8ZUmIYtN8@(wPBWEi<1p>bZ@D#P
zZVAMvdvlu!J<7bTeD~j$4bhWwV)IwqNOByVr1$*A+ieD6Zu=yF!(~^_0Q=|1U7x4k
zn#A))4cK6x$<uPXW{>u3CeMsVz-Zo{E^BqgO=#bdilcq~T!&&NZYi+Z_Ofq7_D`uV
zex6Mme5B^68V1*OvpbzMl;q$4DEZRVE$4T)>zUiCb#I^Avrz8;l5HwcQ-e<KzMGid
zy7g39d}h7tE$d+4ImuEt1Bz{OKAj1O3G2PW+xORZ+d6lB`*RzWcQr@qUOl|dJh$cB
zaj7#cIf3Gnw`ygxGL+1`tHONv@L}NS$X#{j-De=d`7XMkxqN-C!-Tu%&T1uA%D%tm
z`9rDs<uP|xzp9Q&hn)EL$?g?Mo;m5JQsjf@&krl>iy7?Fmb?&q&Mmb3)Sh$fD-FHM
z7T+>pSk@rF@lo!{sKhzGyz2_;3^sqW*cNkj<&-b3-h9m$xV`h0tas&1Zw*PU)(TmD
zCMa~a_$$uamrQ40-`AJ&8ZuKoPwlnYmn&j{y+x0FKCh};!?RbucD?i~7KW1bK$l;Y
z=k5TyJI{HN(23WwDNKuiV>+sLvWvf$K0ou~sgA;gnUN8XvkF>sLndl=RqyKS4m8?$
zI_rvF|Fl}*;*+^L*RE(!b!$KQ&#P(Yj?(yJI=MF<IR+H@tg6`ZVa65ar(8FFvK~*F
z#iNlJowYqq?(C{u8K3)oIcYi5tb`_Q<tmSVXK<m~xa{VJwOyvu1J4%Z8XF%{Oi@2`
zQM7xdb4Xg-q-9$dK3%1{?abE=Wjc$hqYU1pH78cysk#{<xvKZiECGfqXMssYd_j12
zxRHU0iHM!jjWFP<2vtdjf(a`$Zgp+^UAOV%fx7%FdD|+LSQuW&iEb?V@%Ee(ux<h-
z{)1)4p!UoIg({ts4JR9=<m;IjN;X2~?OJ~x2za{RY7MZgy5R`kTqWc3dm7IS76k=i
zhK604;cH?tfJ+eGLC)?vil_y#uG2%be1MaUd7wc}EOWQhrcb{Pob$yt@C%&#%**p@
zdS<rITpu*G37n}+4@Imm)Khu*>C>l8N6v1}RRT)i?mA=*TeV11BWJ05|3CeB;r6}j
TQr{$i26R1L{an^LB{Ts5;@Q;Y

diff --git a/doc/user/crm/crm_organizations_v14_10.png b/doc/user/crm/crm_organizations_v14_10.png
new file mode 100644
index 0000000000000000000000000000000000000000..256c9c3f83bf497983d906051c088ec948e4da27
GIT binary patch
literal 13787
zcmcJ0cQ{;8yYD1Xf*>IXq9hW%M6~D`qDMDGPZ=bP5{%9yghZkYg6Pp1Ek^XwqeSnF
z-h1zc;cm%2<vaH~_uO-y=l<dG?7j9{d%dgt%DeUiYH28ulQNKkKp=7z<tI8I(3Ni>
z&?UjEmw`J`?6LE}ze`R!N^+q5&fCkt1%VY<9Si~$hLWAWAOx;S9Fz^6Kp={Si@!_F
z_E}I6NW?+q30Tj~Y<>LP=Jrt4`F2;5gIc-lnEA%yp&Yn|<XXTx#MNK2Br?}^KYf=S
zYlQ1LQ;%QY%=@vX1xXVN7f?LQ3b}pvW;C~5u*pDpV1bc%WWuvR9vK_NO=Ar<YR^~c
z%i(37D#0?GN4qlSmJ97`?LN^MA$OT)YcWMuo#H~3vEIvTYbyvTBA|ylpIFI2pm%zA
zTY#8YBd?-?d&>8Hc`u3r|MMa)t`?bZvf;bxxiUT&aam{R+50gzvI^EjbG|x1GWl}d
zKw~lc%AY&9$6dOnFE^doz9fy#2p@Zu6y(_aOng;TT<GTVV%DZ|aJpoJztd!F7;Qt&
zMc3Jx`*jT%?Z;0dStW&Q-WYr}A{qFcr@vT2!z|<FHeF9xsna;*zim}nnItVyWW<Z8
zF5I%#G<~bZQ=mby_mp;Rgc>5<GGW|u{-EahWn2|@OqV!AcCd}9z>UB35W7rXssE)i
z&X^}vb6px|XIKD4`2_BP#Lu#vKND)B?K*JT528J#Z(R=#_H-%C=yi`|*1ZljP^zrJ
zS@u2Z8$;Uvwz~{^=ki*rMIu|zl;b<O>9?c@LySwF2DasPVAZ|PNCx!pZo;bll@EM*
zv2Ryf(2PQ|ORWh!BO*zRfv5B9GcyjG)zYS>rsG%W)Fc{>xWTAZYFvBO365huZp33W
zhNtL?CLAsu8CPw}jhU!4u$J=dH>=&+Z(94oz3hQ<ol9X37`Z3r@vz2TlQV)Q#1)Qj
zTRNKd9`EW>9ZjcXKS|se^j4>9O=dO5eA|S$!r`*xVpS#Sj6ZRm(PO5gI5(F$@qzLc
zJjR{4M)<_bV92J3tXJD$Xu_|r)cKcy8AG9M_0Q`bl`?M&{7gAb=?6wPI@Hyf)fv*T
zb&Hu+_}SeUR0i3=8H#W+G4;#5QRVV&r05zu2-Fhqksr3d^ZH&3>YlYg)Ii`M8Jc?t
zb>i3d0<Z3zTwQvXlS9&J;pqUYG4hC7C~P@R8d2_?T(F8zpBNeRj}>C8ggnCb4G2}}
zjCf!mCO*ZPtL5}GY6B(X-ix9oC7+A%<EEY-iUnUwTX|BuoYxVvgR{-^jSZeBPlKw(
z`i2H1ow{JX1FoX6dGPR6U7BC(znPcSc2-^7=Zo><1^F=X@;onldBr=V9EYy^tB+|*
zB|~M+mqt^YOYmhFQMNX=%{EJk>HQ#HL`m`fv7C>l!K8ohY_FWTLDyXDgj8CqnP=s9
zq7ua1VPoEU-pr=b0SBed`cz_djEK05|L?_$3Qg4P3bEnpYW-`?QU;xl@jXgqMi*)j
z2&%O!gsvMy-OU#L7FL{26L%GnGoVWqW=oMTr<41GXWLF)CRP6F6WC6rwD)t(!}kq+
zZLaH)(Hcm;pv~o0^PT(_jHFX7Z02Vwx2zD?G9=5(1@k>Z_Y<j^-4KOXFO3Guu;Ja;
zkL;{;O~g*bi4dn?mx!`)?ea0kP}onY+>cPIM5F80hJ+jI#(gUfXHNGj87(-Phl+=i
z&3w%nxrymVz=kpy&h-Gl+_|$2d_msQk&%s9)s^0maRLyCzTXQOd2eN|8z{~Y5ZGEZ
zINIyev`K$fSiECh`s@44du3yZW9DI}UkgN|x|r7^A4#UCXy0oIF%i7crYIqzvZN@H
zy+$O$2tCxC7*vocl~fXLS&66H@`Jf=FD2qr4f+$np>}Z-XjM1aZ`(3T=~Rh{1i|c5
zl^D|rH`j$F%KMAzl1{z*>&2682cO5ngj-%C^Ei1EH&+h|Ec46b?2xu_u}h%GM8yul
zxoKJ)iA2$~M|D44kTm2buaL@B`(wq2Q*%4xI>$LPd0!%m#O{qM|61!b=e4tqGzd9-
z5^gd5OJ>*XU@$T)pC4Y8!Al#m={gDB%y%o2WN(q-@01!E7?;iAA06YL#0~h8>e?|l
zm4(@@;=}Bg*SyEKt=fcYT=_{LWW*WwZ`<3pE6WJQWqryf^Pj9nEmtp22>CR4c2zx`
zrq7u@d8$`zy}3Udn(0~Lp*RuAR$lxzzd+I*DdM{}9y5_Y5mSk?({>V*Cr)epJNCUF
ztM=wEsm?W+iDnVC^~R#uMKG*3YEK>wiLUNO{-*QX%Y0vPh<{M?JzsvjVm}IZEds~d
zv#O-d%VXN=30G`a3TroTRry^8om`*s#d8i%Ow`fuPA40I^;HenPxj+xHTSRGHrGEK
zya9!HNy_%-R3GV+yDc2(BS-I<taPcZd)ql4@D(W0kE&U(t=uKe#P0+zU#gl!$E9w@
z<~Yt$nY|G#sDYNAEKh`~O@DE<SubW-!D3KbUty9wuJ_2%*2r<>qcvoc&AO$-<B`HR
zfNGq=ePMoMr$&&*AYPqx%r~)Q77%Dk#YPipDh*luWi82nuhx#IJ>G=N2Y<9ZgtH+}
zq~~*s?gwZ}3d~1<?U*8axq6&abRh8|;ppV&uwkR&IXd{PXTIWm7+A5jA=Z8A7ZhB(
z@!zDj{|oE=v!e7P))PVCJ>4&0dixL9{wHMm&zk+ODfoX<>oGav95H!%m}*<;JHG#B
zIm{IG7zvD0mL+aw;Shn|p(KtjlMWko^>IG-JhsW?M_95@5`$@h`RX}(xn0>+bE0{U
zn~*&pB|hIxrz~GTQxC!1K1Zybyt0V8e<306;m$Pm?<pvx(3FnX{7&7fIu$v|a{D7I
zw$Dy_4qTHE(dEM$Wk68^i)jgE(8mjrfm~vt;8&ocDdm7iG}p^;GhYah$9H{Ui(^;O
zT-p<y81rGyQISu*Bdx7Qzw>|6DKUbOL9C<VV!mtnM}VqO3!+`~NNxS{ap1u8BOQss
z;QDX;%BQs?j4j#7$5e7qRsisDsiiN>-S&mogQ4B8K82er6NfN<S;*_-`!!yxr*3B-
zkNvyWJu-xELECJKX8o#;$?BY6ZP(XM<X2sx`|QGGPS=#QzTxA7*(&CH%>eYE`}#!(
z8Lpv68~u}+6U^CS6K(cr6d{t{MFfW8w9Wg4k7|TA<Jf|L4!ph!E^)F8Ccv)Gz!0S#
z9g|K|OUK6Pe8w0^g~&;(Ft~)l7e+k$`U;3a4!It0d<9(M#Z~ZfEwLKwS(4^Ul4_co
z<6`>lYd3uCi^FJoWVTnnRRRC_=<W<O`LxX0tXWD4$=zB?8$x;8ZG>RSo7gPg<ZVPg
z%k`RxZ%iBGrAh<Kaok@^S!DV1o>pg7x}&UWzaH(~@_@&UYaWKg*UV4aC^=$&6pM~?
z&>RFcKk543XWWNBsi>@IwjcIX-PBw}aNf7RRn<^bdb-NT?F)MYciC&aVqGhzc!X2^
z9aJ~yEG5g+T+i|?KTRQIt}YBa+PTl<6FS;BKkHqQTJ<oEd@=YaFO=?7u;p!w`BNW`
zstKh#UXN9I`uwUqyed{hQ;CzkT-`@%6ctzmt=uLAM3W-PtahtV8i&<qzav>~D{79v
zS|%Cr(7?<keSX@6mV^Prx&+%N#CjT>^TSy>%KV+?YZO#_-=3^Chq53}!D&C<k7}M{
z@JE~TN%~()eR5=5Xsr@;3+k$BMt%?qS`%S+W?oRUoG5C9gi@;2>VVTQ5<)%?Cv#TT
zH$CBAr*lW`C=HS%zH3Wg`|x}3ugE@fsBQX`*aNW_9VQB^u0E?eNtAY&GGw}IfzQMC
zB-)iir&8!7_lhGWtb&4)Zfn1R7=4{XZT=*&bc6o-z{~+Bgk`d^6~vZwoY~Q6Fl()^
zm@;a+YXtY3)h#PYS6Nc@Pb8Y0i8x*F_m<|^zt!p=6EW-VopqRVBP28lGQ^^k8aYlz
z)7BqWScx5Xo%o_u7q&bx%BIxCTxoZH<!LF$zQ|oqPhzEJ&5(tpQN~u=d=D1?txLz&
zf}4a&#RGlg<I>W&S;I51*0S!%?OV(&h>j06`5R}10w*zxz3;2fnEMKXlcgg{*X)_>
zkda4OiJ}KCcM*@r=UIXiWJg4ljL&<BK+c#7zqNzOv$G?6L^a*b43QR5r?_J^w@KFp
zeODx(z`_8}_WPL164nrRaZL(zIw8~b5dITt`}vnWL_A{Ax90t$^|ZUTX%J06-Sow#
z7OyZSpSo2Q@5EB5S@XoH+gIhQVLmvol1FlSOzzAa4FOs&%a>ld14bQ`Tf?0A3+|ra
zBAuBL!55*I7&r057#p^iIAF-Z0R7^B==ZxKk5W;+-gw(1*Q-d9Dz9Awe%M7@rQW)^
zs(3I*SJS(C7UqtR5~nZ|aF2kJaX@ZKPO%Wv_eoowJ?O4Yow|+8qhYf4yI~hy^|49z
z>bx-vfzx!TtWfZr<@)5)lCJcPIzmZLYn~%>U9IB}g`z&`J{*n|ot-S}MyYux!1mSo
zenyWCJ?H%mKUs-4P)6Dw=54UrG^jqcbLb~Ui;^D(VT_Nt&BD}Rp=@mvzmm|Vw;)cY
zX0e5E*dty2j_X9Uu=*|4c7@9>PMOtW^)mQmc--^E?M(d4u*RWgKK8Qqqx^8yv+%zB
z<spLCl`3PW`NKxc+J{6ZW^6{-s!yjnFDA`OUwsnyShzYW@48A(-D&B&%JNcVi?fV4
z?SYwieV3&Z%BUXfh7sJo;$7;!^R1_X?}O`)9g<hyCOHrG?)%^yHEv&oa|ndf`~5xZ
z3HZo#-vJ46HLQ5xTySDnZQBZ?8Iy5?meL}Qa}4+y?ac8-)onL%17~K5Va!#r8k=Du
zdPA`+b@)q1uJjqc6+^F@Hlvm#9tKSHUM{_XKtxpJzqJu=!BJZlwzs)EBE2zi8<ar}
z-)K6&hP3gIJ_A(+enGI7dC}63<60MO`s+E-!}GV;o1bLN%s^bGgSi9f5%cWkwz=_1
z%q+}TCj#<ijT)~#Cb6Z_<v3mPs&><>8O@u3Bi=e5+sV~iuWN5vNk_I?8#fx$Sv8rr
zE&4dro`{wzBjHY{^?pg-NSd^|`m&Mijc)s!FEc}3I(i1(e_jH;>DEGukh$3P2BPe0
zA#L2|xHz}vz5tCtSD&d}JCq#fYmdGp2{K%{K4iB9Qgz}wUWud2bd{tU2r)-22yma^
z=ELqWJuT~ulr1r>Y`EIhLIl<)?-D3TU1cb(@XJkj<-{)<{9^SUv7rLuSF;yU7Ejq{
zX9GW&{X|V-Z)Hr5qwzI#m0yo#he&jodWpUg9EBZqdLYYfY97z5m17&MF9@#(>%*c+
z7nM37^;Bo^JTgq{9ygz)Z53f<_F>BthikPhzqglni&6!J(7$^gWYp_VmxUBIBrng7
zKN=}kGM)tXa~jwWJovi+j0}Dv&j`6c9E0Q_TR{_0FWe)<)%8~@OqNmJZ+tExq|>3+
z?lLeDt{C~qsI;=X!&X+NMNw=|DXt$LY>WpFRu1pQ^hEyRT%C`jT&sBIt{(a8NyARw
z8`I-=RhZ(tq{FT$uO|BsCK~cM<jU{U*z+g}GeS$FK0?A61LWl5ZtgcPR4C=UNe*ts
zjq~81HP&El<AUj-3dsGhKC&q+BU{O$v7R^AMD9(`Vl2;Sqq8jqQs6R@w>;l~BVXUj
zdwwNHN;bjXayUKJR1>+cCpiLoC;a+RODvb7iW^v_Z#U!4hVd3UPcH%iNro|!hOOv_
z@yhdkw6q?#PG;rtCY-r!v;NM;-g?su;s;X*KQPYkQRvNk&${YG;r-mBxNN@41_Lj6
z@Tx{>aG@M<NW(*~C07?Le5X=PKdUsIOqQh&J-z8rP$Ycg-l<@!lQ;L7l-R4xB5pRl
zV5+#JF;N!#=%_CK*s>lNu-^C2KG}(V-BH`@<c)<=kKC)sY~1z8<W3nl8|nztuD_CV
z#2I;egwi=^ROlt8cRQ<kjVM>thPaTgIp2~>Yj=7>Vg@szK+|ubI=guUNnxHP&k^<M
z1m;Z<_+ZrnuRz`D%Jr<$@uy92$p%1^%J12Ib5-(jMdm)j*A~<h;zE*HzMg0FCH|_e
z!5<eCipUFU+l8O5J+%^UsThDIMp?L8{&aZ`Z(}>5VNjVBLZ7`=Ua4rx3uEQk=!ms{
ziFz&{)Zw(^ZL)j+NmZ2u5%%eKs?cMilx=M%cwM5*W{UC2vfD1X((xCGTsQGYdySfP
z>~C+NECc&8a5I_Hm*DV>!$J2x@Zhn{jS~t?R`syW<KRIx(PZ`3FY*-&x>d(R{dDkk
z>G)6#*0ef{Y>u<lj1m?4MS=JLUbj%)O(zHOxgRCjqJ@myv#cS=n~`iuiFLa<7vmsr
zp0{FqpSV1;Miapkl~*E|zByS`VE;^(-ecz&(c>yc4P76qfUmbLOYhi!X&e_HDOMb<
z{ljV*zPYkjtaoEty^@u!?77eJ-lKL|Gs`8>S`A_YMzH5_zub*R%@5p6Bdn|J8krh8
zvDaGtIAQi1?AGOq$bt7VH@$4#b%sRj$cYRKO^w7QA5MA8=6Jk8ymfXNfRd%Vz5R8X
z_r6N{N}pIOk4HtDrLW_Q9fi$T(wh5oM49rFIp^4!PlrPUiWB>mIjyCZAFDRo5h$yv
zBe^A~$;cb1L@K-j{y<)K`h_qH)PL8Nww)%X@2pftL9_=^4PJEHH2`tH>~?wEbL#yu
zf5W?>4c#nwC1S&j@=O_QKli-p+QXaBFLb-&n<rX_(vlB6dXCw1RfA<njgFgwaP@k{
zD)wivWZw6~c^OUi=Q{FTUm|$YQ&fC92(XN^3*Qa8z1Qn|@<m3PLPSB|i$v(5>ZHy)
zF=qQm%UbvKYBV?x6zoOmc{CD$IWg{5TQVloYipW3+sT@sH_TLGGbzJwo5%AIKeZF}
zBk|20^UY7FHzh+qcG6dZgrC$s-LgP|Kxtau;1X*4WW(O4fbJi@k^Ut@XoKY~U%@xm
z#dY&ffD0+^Wq=O!zj=)oy&~qz>+-?fb;5+3>Gb^=i^gb;5E1CHbvjo|06$TS(dS4;
zFs)?j&xb;5rh3-=*Q7Vk@PO0k<<1jA8)9xiFM&V|j{&6(JOu)MzeIrTEdP%;&Cc<!
zPcA%9*ZBeXp7z^Oe4G^N<Z+M1N$p=p6Igv75sAPJ9o|j;Ji0MCr+s907VE7iMPLY|
zRG-X#Y21`K&rjoAut@6v7oRkn-F9Z)Ui!xn4Lmg;KLza4+4K}uDTm`pXDB~H0Fn2w
zk@UaJzy43m-#<_2UijDRfPY<jAd2$%oBkzcgh*e607~-<M*Xp3px!z~2<62{ftH`A
zqW*Zccg{bw2jnl@<70{8td%=|639$|3BG<Ywn&QqVRJt`Hzul1cG?8mYFwB=?-YTi
z-xwgPoa`QO1T1cjUY>6aG_l(fb6sP2XJ6IWs35N0QsYu3-Jjj$y5wIsEhdmxo|!_x
z7_CWp_RQ9C<}+V*w9NE?RQdREunZpqF(nhTq`~k{*B7o>1J2dvE6q(^rpIZ}O<0a(
zQNxu2jOkHt{@|<K*5$f7YPF;h2xtHcbifJO!F0RwW_&gY8YJiPpykZjdU>a}cV2DL
zM^MT^YiF&{sdRmOdqdz_o4!()$vL#BUwKVyjMejeWZ8fy!0MHTvqTF;{83(z^>VKO
zVnSfNszQtJIft14;1cm#I<?aZJzDs%t*}mh$6DmU+w}FCXJ7O2DYA$4zlsIcJTO~V
zysZwNZA=w9Nv%Eh2FCcONK3Wwqv51g*}}O5Mqt`5dKDtshbrx2ir_sdLS^@mrv^Kg
zs@o|MW5KfDd9$_k6HaX{l(U*{8*=d2nTc=9@gLSNuLhq{^wCOnKPLOzC`BUA>CiL&
zA=&Lj_qHZ-^kD%;-0NA*muN}h2cq_*9c^9dHue<EIzpU&x;$}lJi53Jne3kq&615U
z6B+L{!eep?U>aWOG)G-ljx!}iQ?i&LQe~qVE1~R7qGXFr6gd$=9tiWKXM42FH2i8}
zv>KS+g3gDIiQ*68>PeRQL8G1`nRK$BK8(Ee3#S6igWAfP8?M5Pzdh-}qA-2$R9r>r
zw+vCT8hWA34tar4KE0&piXt>%eY1##k51+9g~aw$=Y^h()reXoQGLXn?}i_zFP$ZI
z23NsY$_ic6p31^FCd`gPFZI3OjThAXmR>v=Ox{Af^H`JL_DPbbbwu|rwCI7DPx}F`
zzOXM^%sD%6_rNn+1CzF~o0L*piVQ|2iV|ZbDK`a9+s{P|@E8y9!AQ*cBd7V)lSA2Z
zpM@;^a<ObTF|o#J{tuT|c29j|H#S+^ELK{TY}95y&L<YiW<BPu5pUz^EiBEqA2YAq
zOTw4?HISL85v29y6Jl9!d$}*h$2*zbs@&_r2UB+4mi)Ggn8h{pF5qPo!iw6bOY<jd
zYPdLJC2OSL;u7kc@FzB#LD@DSXPaU_SQ^u&tG#?^UDeO2?k<7YN6uDur+ev)C^5K3
zk+#H0f5PPL2&b80Nt=V8$7vaqMXc;CvCX<n$HP{i-1$~njFHiKp;7D_S+;7M>Mf}Q
z=PNPkjEpu0o$>BUIvIBNhY&O91biqF_UtUFrd;nR>&IS(RP1(F%;&|Gt}YXPn3wZ>
zdk#uWNHA@6j)Gi+*ZZgTQG&<k74YRrMF0^-n4v5(r_L{qzMp=gZ4WJ^gEE~hH}F<H
zw9)|im(Gb9Z63~QcK)WUnsAZFKlg;UTi7;Rt_x&?dgn<9u!rn(3g>&D`3!`Li8=Cr
zhqEZA`W6|kvoab|2u(NOwzta984s6Jer4pVE2qTju|Z^{_^=i;(v<;3grRS05%)hM
z0*=7?_{3c;JZZ9;Su806sa85;@{5WbefDLjp*|+su{?FLKgZxmoZ2UUg#Pw?o6U+g
zOJ$l*j}H74JmG#a$>TzNGzcJH(G{@1z9odz`=q4eUi(?DkNY`pGo#6j{+5<~AtxBQ
zZ|396VyQ5mUOE7;KTSe_meDp~{rNyYj{M=}{HxwLl8=GC9BNh?*C?xnp9=_dXQsFi
z7>;-2@52=qdYmTab<%@n<Hfg&>fT3VCb;8z+isj`b+bA_<$re}oT-xTxJGNR^n`YW
z5@$|CJVN;tf0F9pPV($wWgMFix^o)8t%OcCmq^eiiX-SscM#v=gQlXalzi731U4~z
zIZC0~5Aj762W<^#H(YD12gf`bw>&7jl$^A?MTx3Vv(K@DB1BymeV!NLh~+LhCmNW0
z@6Sh@pY0bQ_+<AM%()5=i@6!tRavrykUr)uarT~FiPFN-%?km60#QvA3%KS5(xjFI
zn=|a%h(Ma@rrfB&{>S2{0vjb8j?b3jT^cZPxdD1OzX~IlwbB*UfR51c*j^#Dy-AV$
z;9gnJhb^A3NOQhDXl6yX@G^Z$q|Cq&{Pt~QoLtSVDlf~9iC2J`_K<-H_T^Y^h@Qri
zBytoAp)20{@=g^2b0Y-SUn(kjAe)2Rf9|l-5PZU78WZjWz5*U>-#j=!jpin7TUgY<
ztXE-)SVf+?!Hez9^pjLh3nm#1Ci9$^XzX#jUu>ua<{Zyuk_%MEIWa;aZ?%&w#vUXW
zSgf!ZKZ_v6U4G)k-J3+*%5>J)JHp{F?k#BZ6j?mlNh4!YaS+J8<=^!N_a&y^7-Bh-
zhk*I4R}aBVbSuv48mMut<H3y489s&2jpZ8lt}Gz%gK;>rkyHCgV0n(k#Kr3*t(Mi4
zuy$Rgfv)eqn3Cnr56h#1Qc|3riVca$aGBuzJyd?)5&09fxtVNUwOXACn<qZr!)`C>
zOv@IGB=iEdnhS3W%EoM<D^D6cX?9B}sn~1zSNbF>X#?k%d(tyLmVEYVR_%1}@|!tJ
zY>Aoa_pW<`$!B%b*|M+?3;dh>2?sS{Q}ffMvi+_VFZQN0@Ec$KJ_aD%-?Yloc)MGH
z5i?S*ucv+?ItUkYT5TZ-)Be_AeQq;`2>y`7$|85$)@mzhuLY)YW0<bF9k2Qb<&Q-l
zFSjFuA$duEq9x*Xr`J=%fs>{+n`SEvyVuHV_G<PIZ)JrSI-NH|CwfN|Hdon!=jFU>
zbM%qYg064IWc-_aN*APklZhqvq{<QFJ_z6CL(KzH<G*v>mk%V8i(`04H*BEqDQ<R@
zfkx{8XqMW1Twl@|H2NJcTgzq1zxP1zO8(u&|9?^Qe`us%#25PNd&3{eiB$cowy6FH
ztn4R$G!^%MQB+%6pQ;qPrqdQ{hoWvm-oI!9`8Hi=d7&e&t*uSX_O7~$UvKXEcZ!4u
z0c#iP>>Y1JmMb2&|FW>Gs>=3@5&Ojhumo{5P+jFubqg{3iLbR*1|zDmkxlEW5TNGM
zi_?>L?H+qeJv%#&jEi8?-dtfjgK&8LE%fJ$)IA#Z=FM;Z^>-4Cn;!(Be?oxLgGC!I
zq$F$GRW!ZgML33v$c_gWs<!2!FD&39w8v49-|nlctH)k424K>8e&cKu6FJ(+$;tA;
zKn+*apHl&Kh~vc4QkF`7q;-?ht3}_n{{F8_s(H`Vk+xrmca_$rJLdxy#BARXW8+!S
z4Y~pRQa|S3Y)#c`ZS<o|x3i^VuSVx<{Pfv^6lL7l|29IAHqEw6^0D1}$w_dQz~!S9
zoUKd8eZpu%Q*|pyeaId3*a<Z!<;4AiheDTs`>mZ_C++>=WY*Qp;T(ek+%Ec{nv?)L
zm>vCP%KxR4kC{Moa{(?l(fZIPi1EZXH;ST?0eS^aggtN}6_)S3_4$Ms?$bV?iFA!d
zy+Op*bMS-c2b_^2BM%uzv<CNdb7N?tcy098$7!yj`M#*=sV)*3ilwB3n~AYEnbe@j
zj*MxmH%FOG=RH^PK|dWsE+c8xi494@7DoIAt>jm`V(mWfpVLrT*#=+q>bH%&LfS*>
zd$HweRhDj;R-A$b<Z_JhS~X<7YA%aeDvU03X@O*Hm}B%<z|F(mEOc<f6i~nqQI%CR
zvMU2ZRIW7`(uzaKc}rPAcHIN^g*X!Q+j0NqYy@Phl4M9bxStOCD&Ue7NwQV;?%KfG
zW>c8e!!ENa<L}F?JY>K;o;l_o5E;rgs@C`f(L!``SzAi{JfyEDM}OFYHTxaw9_-6U
zjt)^Jq^zMS%*^oJLAfZJR;vlqz_{igY{I@=^nHpCHjb*}=@d*SSC#djzGY&=#wYz~
zaB%_KTSf0*O)$fNW5Sw6me#_$7`<Sw8;|5E4bwDI!GjTc#KVMtyLA;^TdL0k9(?kf
z+n}{Xu%&`aUmt(XR2pzpu#=^4b4vNYO4ohqC}oA-bON&ml~2|u7@!ghz2VUqj@rJ#
zmo0#$)8!|lro(i7ZK(pM<ayrP2vb>-ei(GbM!(B&n>nBvJC-*UFf=T&PiXk@T4kbj
zZOBz=HNY0+X87fnKPqm86Q-DgOO|i)Tt%<b{7QX&8Xk>&=f1rq6tRG5dZfaS^VQR&
z2)W_j7~U$V{jglXSe?5Cb(({V1balTG6c4|SAUzpSA|fdma{VUnJN$>PJm1yulvgb
z!G4(^IlflepU$phtvs_r&hC76XSmYx6?pH9aEtH~0<8X@QIBB>l-q9e#%HkwdW7*;
z<PsD}17m!(x%xS5I?sBqSVDGgeWcqTLTyz%!uHlUAL|Ldg=V;|V(u3D^ZBi9V9vSV
zr|YvTzlg9aX=YI6T00V1wFcQI6GalsQXtk!BNB9KYHA55cokgIco8Na8GrLlZv3|)
z%0q>_6)<zP)Als+0{LXRJ6x0~!gUV2ji1z4tKMbP&a%Z;aFhs0r?JVq@X$DXj4!{9
z<@HgL+BiiTl>jM%zDb+K>oH+s3{dI{vd|)FunT;`_JL)5?Zzi5wE@ac-X%GirLNJt
zypiN7vT`7FW+bbzw}k#rW~jOnm6b(#;6-opbPI^9S>Jig<I?YD2{~KWt3B8GhCF}j
zvAYTPxLV3mRE~Kq4wotc^JGoASpPb-XvG^y7wb6Py8|wgr_RLm-^yPmHcT$cwX7ce
z{*YCl3{5g#PUGx)b^shYPdPMRqZ$^8?9w^^P0u}4Gx8=Zi3JqX4{YmcbcG8c)=Oqn
zvqSXjOG2>dt2xN$Xbu46^?tiU&YtA`h(uW%AooRLfx?Re)i~4~W`BQwm^ZEfH-s@+
zCr7KNJp;HKz{m`y4);7_EN~nTIB9esYut;!@JxWc2GAA&<ZLaLw=Np_H>53MmiG9G
z!C(Mn9~%7&-)N0n^7?<Fb{ykg^o(~TvLxIx{cWWVgd^xq#9x3`P4C@b9lF0&{8mFR
zHk>Hk@XZ)4WPs#V%e_Bn{V31_-~<yhGc#-IH>wOUPOu9A{D1xbfA^cQf6Q6T_^mYq
z6!`dKq4q#S(0}#4*+16(o2K~pN95HsC8ee7|A7q6y|x=iMt~#ZR-HIy-QMrQHj-KL
zK<J)-L$AiI@ci~_d|6mklnfN|1dpbmBwk#L`NO|4`yFDFxp{diQ$?$`_d8T)UG5tK
zRdfDSEdpK^9The5h;rp&@Mt6y;K|%SJjpxS6K`NO`>(wDPbRAE|D;4Tx46Bxw{%k1
zBDZq#m<11{I2G&yu+Oy&J#K8uql>wJ2SbJLDk>?dJLc&L$uLOLK{GQl*0ih%ZG2&j
zxryjzBgWXtpY!`}4lg)etq1ajUpV=+9N4J;?0&|9^b>cUes8*+r!hR<_mcZj{~hUv
zNzdeCQI7Us`}6nTt$bu%|H$;1y)i+XrJY4ElNWIZr=x?v{lz&ue7C*9*5G!A$;|B7
zSUjKV4|(vQW}!iW+5V!%x;H>vwo{2*dY@5Y)^gY^Ch*{LXMB*+n=KW!YiJ)FOz=^O
zWJ|31t5_CF(AsVBj|!cdbvcUnT5tpXqEKx6Yl#*H+Zb|NP8%H8U^}T=lt|9O2Eb*a
zSFH+SdpPuxJHYzc2~`q+!Hd(&)R@k&&W1mjKVpgbwq<?|NI|x!@H+cCnmLF2=1y>S
zP~UYBVS?U&5^F<glti8<Yg55Bcy6E^Uo66X9XiS?-hvYPWKka>Vd&<pG8aE%#VcK8
zqt~G<2o}Ai*<0(Jxr>rCPN^JZ*Ut%=Wc=|H_KR56O0q^SlH4yr`l0OPb7Zi%7EPpd
zg>SX%z+|hqVY6_$wE+ow!J^h(5cG~Bwex*lV5hXXc-wR|l~Y9tk8(Kx%)Ge;1t)EV
zBaBe|O&&Z>&`3|E(3f?T$S$8W;h{bUhT2cnrPC1^jM?=M37-f+J-B^)|7Cm`>#F?>
zMf<t|<Z9FR3X0&#8Xmh-590zg$nA(-eNBj6bXhX@p;IPz0S%PRR-c(O6Mf<!Rra7D
zYK(txlO`kYC_``k8<Q}`8dy3^?c!DeQPh60EUMo8NLHH^Xe5ut=q>2@O`aT|fc!)N
zjY`O!kBY*5juM{Iw<@w<D|gSidrJjBr>hDi=r{RC<X*eU)MR&;6bqTiW!44s(AK{?
zP!_6=C00EX3lrX$A~>`*b5&_Jp{4SLb-Q)=fk2wb_-2fd(GtOGd}TigUo8orS}X;6
zVWyvZh~^W3k{P-e@&N2$eN}@lKtlZp)2GDAnC-?9|JuTcM6E^VE`QGPEJ;$4uaA6;
z&gayslkvu&ntWD9363T>1MHRr!(Ay$%?HYcJDz%NFDkfd9DhWznJmGhyT5WD(n(o6
z6|a!9O|ya?TWx97oRM@mbea~{9I#OXeF#vAQW>Fw8vpNUI0&~8$oJm~*5z>K7F?t&
zh9L8y@`on6ka=t~*IVL+14eSR9htS0E}zdSkX(7KOp-vvsA!~>)A>!hHwfY7dr57+
z?8>}Bh_pzh`tR8Bf)5$-+aI$8^{yUJfFuIN=>xialKbq}uv9VKsz@d#reXyWBT6)1
z1_1Q7exEU~JBjUxbo|YjN~J!z+C@S9lly|HHX5nLPqKV`;iXIiK3*Bl%?tWpSP*i|
zaAi}(mPcioh9CJj)6o8`OP_5YEG6!<w3dd&z?aE44#BXp?B_MyaXQ6*#5~|JFt99B
zGy{5ya-4u~pezk|z$G~6+}F}Au_5<5TOFyn^ns00ODP|v`idK$1%s+TeFTS<hp1~{
zgg6)&<D9?mWsy4Co22Miu_y_D#zsUt)P&S7>p3w5>KFNLe=LP}`n~_&H<lgvK|`LA
zNHT{bvmw)nFJ5N-&fowyg<cw3=$7s+yViC73@(V|#*dG`m<d2jtT-=b@i_5CeqWdi
zuwT{7a`R2WqDfsRx<%yaz^JH`h_{vXI4wFzTmiB202IlMNYNiwg%tC&;26|_%|jNQ
zSTmOJ>lz5;@+>mGw7Qx(&SDpG9vhug1uprc030T~=+d46#Q9Rm$qW!F@V@{G48eck
z%zpyKx$En;zuk8VOznC4%1l)T0V3r7Lxj2Z)yI~$ws`=H?*C=c@La$*LH-gmkQ^Ck
zZT(D8E!r8VdcidRNG9}$jdbQ0WU^rVhep3z+7iQ;0K4=zrT+iu_(1>MCpHpeLjjra
zj^Y)Nn5X}fw*PM#$$xCti$}_1uZ6!jcR2&#LPNO=Jwk859ced#DF@_5KYQ<2Va|>b
zij{6)X#SiHv^)&-7%DIqp#3sBI$Dxt@#lfT7&gg&p;AMa-34_LFPHSZG(cVC>;0R$
z$W;nu<`WPoeaqbcA1SsiDk^HNmm;fZ8&EOqe^ty4s8G-!%Ng{4QACD+7DZy$q7zM;
z)&@EfHPXW>DJEt`q>GPx3FveX2&;F0F*qb7cFri<(o5KdzePh`9h=-wItWnDGii&^
zV$nkDFE*YROxmhvp3p+xVZYLtz;4PEgLrPxJ~i-d;CcKG$8#qi&f_J2N=G&&cY~}{
zD=F-&tDtwOs+~dwMlOvnTJOtrc64A<2qbR;*zdW&0zsG!P8hrgz(2e&fPZ)|<%)V0
z*J>a!mV?F2G!U$>7{5#LwM1f?WoxjU(maCl1H*Twa?-I4txF&`M*z7LjV<LFTVs7b
zixky|TXdkRDlY@TU9YlKcN*pq(M?T();L|cN&*)3avLq!XJxcbUco#Bfhw~Be|D$W
z#IqX*dyO~jQ!hNLk(<fQ)4u2liHh?4leUEYYo9q503%h?)u9s}WScEJkV(CT;V%{0
zfBM74x>#{1LIWxl>E8BrG(GtklKs4FApQo5R4|b5mdcOx5&yt};i_FSCu+JGhTIr3
zKcdswR~3C<J{uJi-^+qEP2D!;Dqr4o+(L?1MhIVfBaCx{FaaM-R;K;u#_>JlZOF#<
zf@GC&YHx(83oZP~Zc((#vq<AdciL5yB}@sYxt8>nqO1wA$;ny=y?W&=Q2f2j)I=d=
z`%mnbJ#5|+?`FndT@syvL^aI2=%v;@*L$mX<t!wNwml>#zp9(%$%|64OzekA`J0Ee
z0VCH)Y+nXw7cv50mR`yuFr>bpW5PAs#JZaC%y3`GdH=#y*nSU>5#Wa(YjefNjKRKM
z54gJ<rlU4Q`4RQn@$(+l{ouKP0AH`QupL%&3BT<&KT@NP^4{-qZXfK>x!C7r8V*_e
z8%l@5S-fg4bf>Rq@_FUaH1+d!0W`$=8>m}}Gj?}VD2V~$yr5i@c%%7>%RTw5qt2gc
zfHkRnHH5qS$l3q(FBJ+jN*$v6nax>?j2QdPcD89YYz1{=z&R_HPfSh2&&<87Z;myG
z;UI=|n(0t9H>a*l&c5Mu%aYy!g>S#$36;mAYq}!hEdd8lbX~J2q$~Wlrb#^rKvN_(
zfEHsnWPhWEw7q{}mKlE$HfuHQ@I0|@wU$Hfi$+5&8!VI+kmR_BqxwP3cLvnsxDUh`
zfe&2j+~!fbt`EZOg1_Go(+>zy)Y{OeEhJYg88{seWp+Pwh-pfo$~M7PTot<;cYMNc
zIz+8P4Y1=ojy&K;9ugAPU#I{BXZ-Y!F6w!dUgoY$D69+CTyW=7x}Ufuf;JO{-+kr9
zO-^jc^l2Ql2&WT!V0uRn%V?#=uO<i{yf(~O#qi8x!<l$t4JOy0lL}TaaB{u3)X0R`
zd-fYu;d}SBHYDVYtawWW<r9cT+e)DWGXn^e_+8%@w!i$W#{((Cq!J%F&;G|egJEX<
zf}P*KIdBuqD=iq{A6xG95k`VV#O$-b&I!2^sB}K$(ju!aetf^2H58X7%@H57on`6g
zDE+OK)g~%0&7RM}IzBc_kj*CAc0a8E-0f>Ak{RoyIj7xSNo(Eht`)yz-~8MaJGi|8
zsq2r9*Yb-}DFnR>>G@|4(i79qc??sMk7RU^3@45Lr3$Jo1vt-OUbCMRNSC<~8k(nG
zka$ssBZH$=R$zCl`w~UUg5fNC+9lA@U{?6<;Ly;kB3Si``L1KJSc_=bg)b$O+x)iq
z{4;q~&14<dpxNs}vbW5jcN!(B;s9)nN?fqrW6}R7s2v0nkWtamrGWGDFjgt*{RhHC
z$BEg~eo?6G)&G+)M6LX5cF-_eufhjk@t=|<hxX>b&ta0^ZviOa;P0vOe=}1`D(!Q6
ae(5oHadvlz#x{WcAQc6TC;4*Eeg7A<4;cvn

literal 0
HcmV?d00001

diff --git a/doc/user/crm/crm_organizations_v14_6.png b/doc/user/crm/crm_organizations_v14_6.png
deleted file mode 100644
index 2bde3823cc71510a0887a53842033e331e0e90dd..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 8244
zcmcI|cQhO9`*(^`wbFW8G*+v4tXQ>2&`FIN5i>@O5)!pXQB+ZFwPvkGDT+$07_o}9
zic*^(QEHS(Y-<0~=ljq5p7(ps@4WB#_vW1BzVCB#U)See*XMIx3HOX|bDX_&761Tn
z=-;_v1^_Tt(EHtI80f#;FEz0A=9Hh=Z9M>{kAI0iU~<<r(ggr2lh_WOPSeM%K6kAB
z007R8Ki^ZGs1GgxfKZqI4PA?1IF)3N;J@9{xxSg~FAn5oXgNcG;h(7iJK#BO!55w+
z$suI*?q@=8R7ts>>&tvF51e_R<{STNY~bsSPLLX6W*p=`F8@_onJ?we>-H<>FMo~w
z^uzol^cQA%X&^=^^y4Z^dM<|kp_O3v8b%cNk}~LkbO>h%^d|mN6feCo6#+5=0K%TS
z!r<M%^geG?*+a1kc7Geo5Mz%jHn#7;4k|Cs<IImD9V!c1y1KVHm)-`hlplAwQvz>}
zcF&<~ZOGV(LXMAP$Z&Q0gAuS&TVmQl0grJrSyIbu_0k@GulV87Uio@9?$+&=*F{3o
zbO3LgGze*CPW8?Xs91-{#>uCaFj#R>(MtQR(K4YNFK>;I^`YfiSt(rh5!F^d<qOvk
zPlTV-zIbCznZGctb+cz;LN+mo?2YnhwW&rZD6<nH;v(NjHwA7iD<0ulN0GTGZ;w`0
zxV44WqetOCTx=1Y+cz7l^e>8^?Ie5o{|E?NcRU3EYzWlr9418`-rqDl?D$=hz7u5-
zI$62%s7D^7&_6gR-w+fP{At0Chz-ldISG@SIlm|6+><$ZkdcbZwwLif+I5%@M5e6F
zG}1TF(ThJmqg#ts!U`QXS2nq0@wBjlzKta|rBjmWty}OOOHaQ>X{C`3i%L~!y1|R<
zo0bX>sgWkNhhr}GOc;YVc;xXfbPGIZNhOJ?=503ob(3o*PU?hzNe<z#%DY!gwsfyr
zZ|K5|+1S9P?82+ej(SS&m$ql~pfdAzoac`n)L+)&YH9>ldCM`)a@l_|YuEcU$(->c
z3(QWqxFZnL0^CX@W80)4csWL2_k27LYJ!E=A`;VwrKHO&Rb=ptp^bK0=il-+Am8fu
zQx83S_YWVA5GsdYLX<_0Xhq@E={aAfjrT=mVMQ7?#?Ljo1P8jO9wTS0oc!nVySMjA
zJ%P~NtzBE2h_C<!HG6eWiXJhs=}wJ(6Rx(Hg$)4c|0)&~@4cMH^EscR(-UXhj!biy
z4x`3;)FqrHfI%o1FE6j3I?@A@ixHl1;q)hC+6venc8Hr+(-e77du_XWKXLmrc7M{=
z_{E8%WKE#q@aPy1^qIE@Lg<aHtwSSZ?N(1hl3-c6VB|3Q_&B_)&1`()1ZU(cfOZqX
zpRhmd6jvhN2vHa$Yx_9N|KLIFp7`f)lMX0wVfewj+WepJ?HF#ET=l^a0b_@gYovi9
zjlJ3ViNpF(8Il~eW_Nn;Vfaz;5}UV-fO&}fr!I{bzT~T``?t4--Wzn$-$!co*6uMk
z7&sOLz2rsVMZ=2A)Hf{eQdkCq&&QWLlrd7v2P>PktN?(=x0J(N+FLNGq1|aE`A>-R
zzNT1`G_VY&&Dy!oxh^){VeVm7$;P31{B^!q2QD13{(CvQyc`9u-%sl)fX|gi^iTL6
zr%&Zyz^$KrBfm+#aquPny(9O^Rc%Yzy3BZltMa;NlA*M*e@*T7^gx}QYq2(KqK7a%
zQaQY#(PzV`f#Tuk0>5RKX`oT0j307WHkp*iinfiRPl+#HGsx3aJJuZcsF%%nvx#4J
zcL*u}?#&xNUoy`fS;ghLGT%lIeb=g%6bYX1EUdv97OzH3tzvCbV(NhL)haP69E9n}
zlcORJE9(<{EA*!5>I{s!{uLAuWff9sdEj|Ci?T4r?_0%QmG#wE4oH$8*U^OX#2-Bo
zU%$(+9?O@J&jI-olC0y!J$V4dVdY{$;K_0lemv0G(b%%65t(}K#BVCx+(;q6MIgI3
zekWjoU3I&7;FwWZ^RC&O70TyuoF2nNIIKFV9^<nfdK+<|GjixdAPfG9JR;eVB^U)e
zX^xC3#kSARNr`RQ5QW!A_O<0xm&sXaOMRp1V`oJiMl2(&ZFA6q4PaIee03o%Ec9V`
zIF%9=c%jHkbyPAVsm}i^wSV!axUDff{E90jEsFbCgxgzS<A6C+`j@z7f*oad+8YWY
zo!oSl#f{W!TCH@dCVA0X?iB9^cpf$+yz?wR&oma<qzH!aE^g##=HwmJ!a*=mw=sC!
zkbu6?iA3~H4;RUtX`650PM?ke`qr)#_lSw?TQ3C8dK!}N4x6-{IA}Fn3}{v!81VeF
zUKLit_fC@~MMvuPp97kk)CBhAAE@VQGObt^Mp=1|$6eWgBk-{cr=2g{g3(S2%Z`*n
ze&ua%oAV&MhcFZqOn1h}TqAOWB+E*Wssq=nA1Ur9jPoQ8EzVJ_7vx7jXYXiOb&~ON
zm{z`8YvG8!jj;(A^dpoZ^_Ru&@B6rciwu>l-sQfi;O4;Qlhm!!?cXTybI5u%3BSiM
zU0HWa4DzsXM`MNhfI0)+RQy(s4Pt-fD(KMH6Tj{LX)*WKo`CZvPES-de|w^sXYTG3
zY{^Bjk+Vl%Zy3W=*a=D(%Ct(?wIF}qk7h^|?*kX=Xl(ju4;S@30PyLYj_{YF(w{<8
z4u{+GJr3KE@VOVKLjJl00Q~qM47_iim~!HM3?i0yYOv4_9q-bk|4U{Dc{=~)-x6k~
zUyR{@$B9hN^grBqp~Fsh`QcnVeG*XV|8COhsNZ~a8$QFt6$(>S@CABbb=hkt;9uSn
zds{gFA>oIW#Iei&@Gw~UK>Z)LgwJjcasPO(A77yW|8dTf9WL;X|5@j1?Dc<e+x;iT
zas`-Yi@8as3$aa(Y=o(M@A{93=8a4Qy;~8p--xu9B=?0Qse-5psuT&;BX-@d)+O<6
zL=m`^mS6-{3VUsXLJJ*!#CySJDtek4?3**h7g}s9rLvcoTpY#<5hG~otflmK`z4xS
z))5)Z@F|LpdMHQ7PE|`aCF0BZ_;ca{@h5WXVPSzgJKqR#;r7K)FfBLO8MbKqhGuSS
z&mXo%+UO1(e0rW~HZ}|f4%jvtbqLzOqNU=0eb;k^WQ?oZMIuv&cxdn?>hh$t`%mGu
z=_w*8QeZ{9!0jhy&~E6YtJ-(9qpzJf*c>@I|7b?|kvh><mDHod;3G#rl4~MBG=)Z!
z_UG)ytG&^AuDYc2h}hVB;F1q>oee5dd4}G<6pEvWo*{5d%1hZv?}aE&cB$Jou0M|v
ze&m-n-|((Fww)-&RlAo|wlLo2$oyE#jlRa`I#XJvN3Cso@2dUB4omvD2yA{rySZbL
zoZy_LOVZhTDIhmm_*D2U<hy_*vID#YQhMU~QPKz!U>-u<Nh4Rgzu)r0mfpV`#aIdk
zVlmpkKUCl2&5_?7dHWsSFkHgo@4ni(>!L%E$$8f>lI9um_4!`=k|L?dSZpgeQ^W|P
ztC1-ULLRU3HCRGI^LTv0-y3>D2jpyJVB*Z*dkRDMzlE%B5KaMG8Yc7_u=jpl3j4t0
zJKY!?R^Y~88ufdTZxf4)MTs*<y0egf@RS;ImApd?MXo4l^fPv74&VQ>w{o}`WADkP
zbnmtsqI4dw%X`@4*%12E7fYfL$x?L){P1W)V36CdoR1nqik{3`fEDHJ@Z1Ha+2S&`
zq1CH(qAqa%sNdvqq0R+C8R<v6jw|`OqEtc%9`S2)`LF{N<36(J=RQ_A&~SURI^%np
zQjCK^1^g|@%rt*Dg#{P8mk9~FXuNB*DSe6a8uwq(Iyr6(eiUQD7gldhobSEx4%vus
z4VjsgSNioma>LQdDa3Vq=|vCBO>p$$w>NdCT-c&ihm2oYZ!^=wwmaD`!>n(<#3pnt
zq2}5SwY@z_stf|jy;s)9*{5mqAzX1ZOr3Q|^^7k=CErs8-;HSvEm#nzaoO(CfS1P|
zE_9=)(uDf7Kz6uQHW~yv&?|&;qcq}>lMs{(<3snwFrn|3LQr=I4SH8Wn8NI&uI+6?
z1~uB3Yh?|6r;daE#v9KV26^n5mhU&%@vzGQ!aCd>imju91GW#AT82C&KV~fro_01-
zFv^ByAm1d^?(4%sAwL^gl^T}45eiXw^#!#avVNHPDb-h7pOC<KM2hEwU2=uKMO<<s
zw?ba?W6+(Rj{ct`CXBbO1P7&Z6eHif`5w-Gty#0fZ8hEEMuV?ItFlUyNd}E5y3*+5
z#oJ|@c|sPAvN~ckyb0Zg*!v={9k%BnKZi|-gW^-VLU8JV;7GY*M*UFdRsVSOs=aAf
zkk2g{in_iy8h#K?ngM*GRS?HK;KG({8?UFssR^3zA1o5kJc5t3)q_jQ?jF~O4eG4;
zUSC@(gDrUn<lZC4Y5DjtF;2eXeHi+Hwzy`>)bV^@`1;4;7Jg7@aU&&XZ?Z~)>v|F_
z5)@@MW>a5&vYb5J)v6iewoPF-XJgS-Rj!$%B7T##(9MGd)9ZDOw^vK8!m$488b}I@
zA4!C}OA^a9BWxI&f1>njSAj$j^3pX2RP@lpXBJ;PEHWb0NCv)=rl2L>ce33S8sdtC
zA4dn;x(&#%IETmm&IOt9nDu}n+xW)aiR_gdcfe<k+__U&_oGi86|^`lxW=c+&hL@i
zTA>Kf8i+ynHqHlWXk+@;E+x@mj0=-1mlzzKSmP-e*B|-H!zbivZ&u^;Any#NaQAa8
zdiK$FZ_*;S-Z&f)*P3nj;1F@YP@kRY(8oteFEU16nT@c2jFGDg>usL%0TwYz>~dBj
zb9C4pTj|7bO$jK)HP5H;`CG!Sc4|h!^zcQ&-WR26L7=GdDHQF|Dt6;xxiXp;|3%32
zVZ~BZ?%~RW>mKVz#SF0(mCU!@vc~=`WoV-P8}xzKuL*lwFwbMbP4#O*oau`^EoJ2X
z@4#%|qu!>zUG1=Yeq*njZyh3TLy*I2!3F!hE6uC^2^Zk+Pg-E=Wf!p}aHV=pdzE9$
zaGwKs@9;^uK7?pj79nqg_poh0l{Y;#=RT%A+Pal-xNLJAw!8J^>j%CkLovDP!0gqT
z3;1KJUG{b6sNen>>|a+)6@|J}Q5{ItGehfpn=w+Q;yZk^EZhpU8rVl7wsbaJp>tub
z8;f%oTX%#bRy$Mh+O&YS%C$|E%$s$B@$-l-GzT90DQE}&)-|2bR>V>pP*mNB+Um)Q
zR1Da2pd}u9QVTC@<TdLw;UA%fk7XKBD~SU}Jsk*l>xkN$6SQoyFt99iBU>((+*Qm0
zHfh!v8Wbv;Z|k4yl(*<w-N%Ig6yn~=i15o*v~RwShFGl$o$d=+z36sw`-Ju+mEHKT
z$7L~XFPpY#MAmjlmL2rI7$1lHW;dENL8pMjN8}d?jzH$0elt-=&1}`vC@S|?I_)3O
zN#8w=E(w5XUY5*{JHGx)1B|OP$UiRl^lt`$$N&G-!M~Fl(SH;PfbjG`kVOBjjzX9T
z!@)dkv1Xsad}%Y$;?)Xv8adWWzua=2Lx>lJ{L{?d6*sx?DA!$sdIdB4)CY@<g4R8C
zRJTzzb%XNR;Iy!nD#s@PKm{U;J06Oc;mA-x6H6;pUGKjmO#7F=1i<IJeU!mc=edu7
zO?KdhQBHi5&I<YkJHxu^WyVQPSN$)6TVSKKDY^9LlMi@#$*QL10&gRk7yv$Rlth7L
zCddnnRp@D5CPT&9g-o5`f!Q^EF6EoT+WS|T#A7VKg!G;11A$8NPD8i*;dCX=FWGyB
zupDE%*kHJ@d9m3C_-Ib0M)#4$R_}eO@}h!UpD}|2c4@r&Q`a6|mDtTsm@cBAOJUNm
zWJq-OtYLpw&#s$npzdq+mj^1>2jlcg4289?G`00R=AaIf(2nCMssUY?YK%S6`KbMw
zx){jI1Pzho)~D);WcKs*cPUv*G$@c7dpea#S-A!kXYPNXJm2bXflG2t!n<l~<M6fN
z<=4wG{4QBj!^uI<bw}4j%Wc>CxH#+Pgdhz+$0C1HT)rgp@qSszpdWp3fCeX_t+;-_
z$poFXCgPZ-u-WdM%faw45PHevD7_G-Z_;F>5cd5BP(+5EvvX2ehO7PIm1>?|2uN2I
zIedmwDDu;XvCK+Q(c^=+@1E)w;5KCIda-nwzV<BeQoQIl*Lp9WFWPAa0hV8T^8yrJ
z5BzlJl+j0bvAw&P+<c9b5TUfK;CdEniWD}+FLFwXH1f;{nEo_O>X1IrE_He(-TkW@
zBw50Izw2z=6#(EtDP7@u)oyMgc|B81w(v&2^R5Qv$jz&POxYh|->28<7ZKmrMeHpE
z#gh=wA(YH(V&Ve&h2az|k!e;W&q=rs#AW^BOLAe>nOj<PbNRWaon?>JJ@&Wmqg`U>
zHsRs*agiE*2Sg<g@!#3i^fuf?T_U4)MGvTP2sp<)>wjNDg|t@ie5|FEBn<4S{p?)e
zA~al6<t{?B=(`;C`_8L61wJ{2;jOS04v0e)eDii5R6_iIQl!EuKt);LU-5pB;`svm
zPF?Hl?i&mVjI0p;1AiaGCrfSmcVl=<FD5HF3DYDpQeGD3njDz(gS{i-#&<50LWI2y
z6>T$rP%asAwH+!jKU{oJv0CL*VDr@BPSPp9tK=U>Ety$sx6gGj0v?lUe#(vrfSo>&
zSoLcNf6;TDjwGE!gJ{T0dR^-WPy~p|IARNqDHi>c$b7wV@lPu982G;x5C4NiN#+dU
zJKgZ(f<Ah9)A%=q$^XFi|Czb<R@;G%WQbz`&V*d%*>0aUSn2o%sm_8%T%e`*+?+Hj
zFZObi4nGqj12rI@CE9m;XHRmBIKCzVKhfCSf4E2{clAh18(m=QD6+b6v8QK${$enQ
zCNt9OAH97|a#~Cca~N0~6mcop4>b~w`4He_Z9|kbfgq!kk`KF$#2bkt0st0sZiaR3
z*jDOk=S-%UE@N+GUHbK35~BjKxye)DLsAz41}O&7mmSuD_P)wLc60ptx%e10^8h~;
z#!6YuFVtN0BQe7XdI|Me(D9c0y*IA&f-gt~9|LYLHYXLS9aZVhd#3~{2w4Me@J9uA
zNa%3BD@I1V?y9pmd);U7iOP%fbo$ITDtNDA?Jc_&0;1uKlJw}{qt<xqf+Bp0%oM@Q
zSH2^AYbhVv$T7&P0a>F^2Kj!SO~%URjoxUy7d1etZ9pG$D;x?N-j?v!sEWEcYHi$|
zVx0$mXQP&}|AiHbEqC!Pmz0Jc+W*EHWqd=>`78Wqukzkz8qfQ~gtE4rOv9R3GqpR8
zFH8H)G2`9=h%T{+`5J*%yP!`-zmctj&`zZ{wDw863|ZG=J8SlZN#Qkp$W-)Xf2~L{
z_#I^~P_|>$8-98yxWGL=rp1+$(42+|ODDb8oqvo`EIdHjzUol%ny>lv)(XXYl^S+1
znA;U18_kgtQ8Mv)Bb6Kr;eC8Pzu`NuG4U(Bj2w_=3^e<NaS0E|x(fpzypP4JcZrJM
z^$<8Pu+Ky?ue+T*8GE6rHgvC#|0<RngEF}Hc1;rS3CZgA!+)8r__i%(^BE^$&(BT0
z5zpG7J^E{J{2Qvu$?W!WV~tEe@|=totC(M-gO(qDCnk82+V0=6qn}3cj?pLgjkIiy
z8<}IOZ2CWA1VkTn5BE{vk|#0Jj^x)<P$yJ#gr^$%#<PDGM)Sj$^S_+D(HyvXr--YA
zT(b6(G}>SM{<wKf@?i1a7zX0;>2jq;lHsqr;1lNSJNsR^DxeY5WCZRw_T6&W-76pS
zu%5lj6wb?}*HY^$?3YY0*zGEW@$4-!0kV40-oA=PWV@_P+)7SnW_=TfRw?p)gA15L
z%xB0gkik$zf6;12>4MknYP&<)m@!fu`i^*``ISbIn-uPK$r4To`Bqt~$+KbOdy*5x
zRRPVulQM9@4WhB~+HD7+;&D$6ILbPy-={y$Vq!zXaVyUTW-UE0bx9v)TV-O1>qTl^
zmrl7EJW`S+p^?NimQ?!6>qoB=5%CRr7o!ioED~n45TM|#Y)uKw`nVx`aLZh$$Zn3x
z3CNPo@gDY1&28LR7@Sg5)JO{fg$@^a=ou90iV~ZU28Jn?gQt2ClB&-fdB~+X`(5i#
zy^L^{)Ui?1>~VMq^-1Rk%ekQM#S{7?Xrb%VchbKo%6MIjca^Vpz$Iv<H+4tly<E}i
z*iz<>AEB8QO(Dcro@-Fsl(W=OrJAc$dLXesOIU9IJFN*Cfoo#5k@b=QijS3^I9Dg$
z!@bU(7<6lH(XVR;O&%Z4w(cyZR@fnYi~)IF?L@K6(ZLW26u1|ysK}jR;|~grZm<wD
zgo%*u2Qt*WHr7|q3o$yK&D6MNxi`NMFyZ@@Y+7hHd<1jXiM&goP9Qop)Si(gv0<#O
z=$YEfn=UuSLM5H_gY&1z9qL{14Jnp(E)l3`U0B4yv3$`yTw_MxC;Y1rgd_Ac|E0!r
z@hLqL4Vs5+P<SJoQhkJlImX!Syvd@gMBSMCL=kNKm8WLY{ao4vgvnlJ$*gv=YsaiN
zP~vZuL*`SCyT7ZAI+iMtExoylg>sqSt_n6g3y=B*$|d3jiv)mh^R^tmm3G?;sby}7
zpYaVUmu<KIqS^#Vn-RS!xSzTFg-*Ntk+m6P+l%fVrB`LVmN+Y|zlGekSZuEQ=G~uH
z)w%k1)|;}q|3j#ysrDb_cgTs%0%wf#g8uq6(?2CU(lv5Lw5#w+#`_k%xmZ(ajzz=%
zs){yx0r4~RwdK0(aUO^RtQX!^oV*9~&hGoH5Fj=dLfXpsioJiDgW(f~wWy_ONnRsk
zKSXq9;hTT*wN{yXkc?90L86Jw+=}T3rI#vvbbndNsbT@txSM!3lsZRG08G&wdt3e0
z$F$fQkgi6R!2ooG!c4k5zWnS&ccGFce*{H~HI?#^`;Zec#f00G5?|JSe%LqMx;+@O
z8vOLGZOe5phvG{d75kfv{EiwNghtu=FLdP-ecYCE%zOIr^%%OWR<)QTi=){9SqXmz
z(knliW>Q!H73M6EKlMRCWBmV=^uEY6>rOZL$<)0X+ad5DS33V&SwCqijA7?lPL(Wr
zWOWqTQdly}jBw~OYv`oGrP4E~&$MuMVA>dlE-uzevwY*MHa;-TloO4GF{y{~5($by
zkV(qpZp!Bp(Z)Y=q5fa~aQ3VOr@1torHS?YJybcokj+&$%@!}8(E75ppz7h3>|#I0
zN(n<{#kL8G;d$IpddgaP%<oiiMtG*(TMvVQ#y5jUsReQ)TbHn#`khrQe>a7v4A3F$
zbRb!rt<!Eacc%))2Pg*&Se`v{@#<-gFYyYFQ+1t`kF9Od99@~<q5<z-3Ggl*t9{v5
zf<XliVBH)j_VsStXNPPhOgv$RBTbB3p;Z<o^=@?36>))Tz~Xa?uA>HeM%?a2r*WCq
z23Lw|n{SJ?>!EBRK$aORW%)+7-E4b98_X(Q5I4J}?Ppc}^_Gb~dnJa%LGV!6x%2Kk
zlj{Yb;zqOwosx&U`qLCxRjdD&`Q^DSuTrvLQyVw^3lJb?xqM9gvs2BL*r50!XlbnQ
zLv^R~q+AU`h>Y8LA2)dqwd!d@rOR;=#rXrLY<!Ks{t;gXPIc(ZmV5(u(QS$Zb!q%x
z<HF}?p~9mAA5n_j-i65;S6a(nFgz@rgN<T0IekhrR}6-W{z$aPM-`J%Rs$Y`ck<ua
zOM%>k1mzBOO6n^fP~N`)73HSV3_El_I!Fb!2J$>5nT87oLewuOTY^qIV<GTw<q#b#
z0YR_B1HwK?ME(BSGk2ff=NDj_Ef@ZC?fI?$m)`&ERsDZ|2Is=|Hcn1GJ-%BZ`%EL7
Qju)VR)A$BP&oTPH0D7xD6951J

diff --git a/doc/user/crm/index.md b/doc/user/crm/index.md
index 201f6f710b9..7fc11add2cd 100644
--- a/doc/user/crm/index.md
+++ b/doc/user/crm/index.md
@@ -49,7 +49,7 @@ To view a group's contacts:
 1. On the top bar, select **Menu > Groups** and find your group.
 1. On the left sidebar, select **Customer relations > Contacts**.
 
-![Contacts list](crm_contacts_v14_6.png)
+![Contacts list](crm_contacts_v14_10.png)
 
 ### Create a contact
 
@@ -86,7 +86,7 @@ To view a group's organizations:
 1. On the top bar, select **Menu > Groups** and find your group.
 1. On the left sidebar, select **Customer relations > Organizations**.
 
-![Organizations list](crm_organizations_v14_6.png)
+![Organizations list](crm_organizations_v14_10.png)
 
 ### Create an organization
 
diff --git a/lib/banzai/filter/kroki_filter.rb b/lib/banzai/filter/kroki_filter.rb
index 75ccf998f60..845c7f2bc0a 100644
--- a/lib/banzai/filter/kroki_filter.rb
+++ b/lib/banzai/filter/kroki_filter.rb
@@ -6,8 +6,10 @@ require "asciidoctor/extensions/asciidoctor_kroki/extension"
 module Banzai
   module Filter
     # HTML that replaces all diagrams supported by Kroki with the corresponding img tags.
-    #
+    # If the source content is large then the hidden attribute is added to the img tag.
     class KrokiFilter < HTML::Pipeline::Filter
+      MAX_CHARACTER_LIMIT = 2000
+
       def call
         return doc unless settings.kroki_enabled
 
@@ -21,10 +23,16 @@ module Banzai
         diagram_format = "svg"
         doc.xpath(xpath).each do |node|
           diagram_type = node.parent['lang']
-          img_tag = Nokogiri::HTML::DocumentFragment.parse(%(<img src="#{create_image_src(diagram_type, diagram_format, node.content)}"/>))
+          diagram_src = node.content
+          image_src = create_image_src(diagram_type, diagram_format, diagram_src)
+          img_tag = Nokogiri::HTML::DocumentFragment.parse(%(<img src="#{image_src}" />))
           img_tag = img_tag.children.first
 
           unless img_tag.nil?
+            lazy_load = diagram_src.length > MAX_CHARACTER_LIMIT
+            img_tag.set_attribute('hidden', '') if lazy_load
+            img_tag.set_attribute('class', 'js-render-kroki')
+
             img_tag.set_attribute('data-diagram', node.parent['lang'])
             img_tag.set_attribute('data-diagram-src', "data:text/plain;base64,#{Base64.strict_encode64(node.content)}")
 
diff --git a/lib/banzai/filter/syntax_highlight_filter.rb b/lib/banzai/filter/syntax_highlight_filter.rb
index 07f82c98666..bcd9f39d1dc 100644
--- a/lib/banzai/filter/syntax_highlight_filter.rb
+++ b/lib/banzai/filter/syntax_highlight_filter.rb
@@ -56,7 +56,7 @@ module Banzai
           retry
         end
 
-        sourcepos_attr = sourcepos ? "data-sourcepos=\"#{sourcepos}\"" : ''
+        sourcepos_attr = sourcepos ? "data-sourcepos=\"#{escape_once(sourcepos)}\"" : ''
 
         highlighted = %(<div class="gl-relative markdown-code-block js-markdown-code"><pre #{sourcepos_attr} class="#{css_classes}"
                              lang="#{language}"
diff --git a/lib/banzai/pipeline/gfm_pipeline.rb b/lib/banzai/pipeline/gfm_pipeline.rb
index f4964f779ca..5e7c2f64c92 100644
--- a/lib/banzai/pipeline/gfm_pipeline.rb
+++ b/lib/banzai/pipeline/gfm_pipeline.rb
@@ -12,10 +12,10 @@ module Banzai
       def self.filters
         @filters ||= FilterArray[
           Filter::PlantumlFilter,
-          Filter::KrokiFilter,
           # Must always be before the SanitizationFilter to prevent XSS attacks
           Filter::SpacedLinkFilter,
           Filter::SanitizationFilter,
+          Filter::KrokiFilter,
           Filter::AssetProxyFilter,
           Filter::SyntaxHighlightFilter,
           Filter::MathFilter,
diff --git a/lib/banzai/reference_redactor.rb b/lib/banzai/reference_redactor.rb
index 81e4fd45966..c19f992078a 100644
--- a/lib/banzai/reference_redactor.rb
+++ b/lib/banzai/reference_redactor.rb
@@ -65,16 +65,15 @@ module Banzai
     #
     def redacted_node_content(node)
       original_content = node.attr('data-original')
-      link_reference = node.attr('data-link-reference')
+      original_content = CGI.escape_html(original_content) if original_content
 
       # Build the raw <a> tag just with a link as href and content if
       # it's originally a link pattern. We shouldn't return a plain text href.
       original_link =
-        if link_reference == 'true'
+        if node.attr('data-link-reference') == 'true'
           href = node.attr('href')
-          content = original_content
 
-          %(<a href="#{href}">#{content}</a>)
+          %(<a href="#{href}">#{original_content}</a>)
         end
 
       # The reference should be replaced by the original link's content,
diff --git a/lib/gitlab/auth/o_auth/user.rb b/lib/gitlab/auth/o_auth/user.rb
index 200f1a843e6..d9efb6b8d2d 100644
--- a/lib/gitlab/auth/o_auth/user.rb
+++ b/lib/gitlab/auth/o_auth/user.rb
@@ -239,8 +239,8 @@ module Gitlab
             name:                       name.strip.presence || valid_username,
             username:                   valid_username,
             email:                      email,
-            password:                   Gitlab::Password.test_default(21),
-            password_confirmation:      Gitlab::Password.test_default(21),
+            password:                   auth_hash.password,
+            password_confirmation:      auth_hash.password,
             password_automatically_set: true
           }
         end
diff --git a/lib/gitlab/ci/config/external/context.rb b/lib/gitlab/ci/config/external/context.rb
index 308414af47d..512cfdde474 100644
--- a/lib/gitlab/ci/config/external/context.rb
+++ b/lib/gitlab/ci/config/external/context.rb
@@ -70,6 +70,16 @@ module Gitlab
             }
           end
 
+          def mask_variables_from(location)
+            variables.reduce(location.dup) do |loc, variable|
+              if variable[:masked]
+                Gitlab::Ci::MaskSecret.mask!(loc, variable[:value])
+              else
+                loc
+              end
+            end
+          end
+
           protected
 
           attr_writer :expandset, :execution_deadline, :logger
diff --git a/lib/gitlab/ci/config/external/file/artifact.rb b/lib/gitlab/ci/config/external/file/artifact.rb
index e6ff33d6f79..4f79e64ca9a 100644
--- a/lib/gitlab/ci/config/external/file/artifact.rb
+++ b/lib/gitlab/ci/config/external/file/artifact.rb
@@ -37,7 +37,7 @@ module Gitlab
             def validate_content!
               return unless ensure_preconditions_satisfied!
 
-              errors.push("File `#{location}` is empty!") unless content.present?
+              errors.push("File `#{masked_location}` is empty!") unless content.present?
             end
 
             def ensure_preconditions_satisfied!
diff --git a/lib/gitlab/ci/config/external/file/base.rb b/lib/gitlab/ci/config/external/file/base.rb
index 7c45961b738..4d7cf4af9f5 100644
--- a/lib/gitlab/ci/config/external/file/base.rb
+++ b/lib/gitlab/ci/config/external/file/base.rb
@@ -79,21 +79,21 @@ module Gitlab
 
             def validate_location!
               if invalid_location_type?
-                errors.push("Included file `#{location}` needs to be a string")
+                errors.push("Included file `#{masked_location}` needs to be a string")
               elsif invalid_extension?
-                errors.push("Included file `#{location}` does not have YAML extension!")
+                errors.push("Included file `#{masked_location}` does not have YAML extension!")
               end
             end
 
             def validate_content!
               if content.blank?
-                errors.push("Included file `#{location}` is empty or does not exist!")
+                errors.push("Included file `#{masked_location}` is empty or does not exist!")
               end
             end
 
             def validate_hash!
               if to_hash.blank?
-                errors.push("Included file `#{location}` does not have valid YAML syntax!")
+                errors.push("Included file `#{masked_location}` does not have valid YAML syntax!")
               end
             end
 
@@ -104,6 +104,12 @@ module Gitlab
             def expand_context_attrs
               {}
             end
+
+            def masked_location
+              strong_memoize(:masked_location) do
+                context.mask_variables_from(location)
+              end
+            end
           end
         end
       end
diff --git a/lib/gitlab/ci/config/external/file/local.rb b/lib/gitlab/ci/config/external/file/local.rb
index 3839c43bd53..3aa665c7d18 100644
--- a/lib/gitlab/ci/config/external/file/local.rb
+++ b/lib/gitlab/ci/config/external/file/local.rb
@@ -23,11 +23,11 @@ module Gitlab
 
             def validate_content!
               if context.project&.repository.nil?
-                errors.push("Local file `#{location}` does not have project!")
+                errors.push("Local file `#{masked_location}` does not have project!")
               elsif content.nil?
-                errors.push("Local file `#{location}` does not exist!")
+                errors.push("Local file `#{masked_location}` does not exist!")
               elsif content.blank?
-                errors.push("Local file `#{location}` is empty!")
+                errors.push("Local file `#{masked_location}` is empty!")
               end
             end
 
diff --git a/lib/gitlab/ci/config/external/file/project.rb b/lib/gitlab/ci/config/external/file/project.rb
index b719a1675cd..1fc22bf3780 100644
--- a/lib/gitlab/ci/config/external/file/project.rb
+++ b/lib/gitlab/ci/config/external/file/project.rb
@@ -35,9 +35,9 @@ module Gitlab
               elsif sha.nil?
                 errors.push("Project `#{project_name}` reference `#{ref_name}` does not exist!")
               elsif content.nil?
-                errors.push("Project `#{project_name}` file `#{location}` does not exist!")
+                errors.push("Project `#{project_name}` file `#{masked_location}` does not exist!")
               elsif content.blank?
-                errors.push("Project `#{project_name}` file `#{location}` is empty!")
+                errors.push("Project `#{project_name}` file `#{masked_location}` is empty!")
               end
             end
 
diff --git a/lib/gitlab/ci/config/external/file/remote.rb b/lib/gitlab/ci/config/external/file/remote.rb
index 4bd8e250d7a..8335a9ef625 100644
--- a/lib/gitlab/ci/config/external/file/remote.rb
+++ b/lib/gitlab/ci/config/external/file/remote.rb
@@ -24,7 +24,7 @@ module Gitlab
               super
 
               unless ::Gitlab::UrlSanitizer.valid?(location)
-                errors.push("Remote file `#{location}` does not have a valid address!")
+                errors.push("Remote file `#{masked_location}` does not have a valid address!")
               end
             end
 
@@ -32,17 +32,17 @@ module Gitlab
               begin
                 response = Gitlab::HTTP.get(location)
               rescue SocketError
-                errors.push("Remote file `#{location}` could not be fetched because of a socket error!")
+                errors.push("Remote file `#{masked_location}` could not be fetched because of a socket error!")
               rescue Timeout::Error
-                errors.push("Remote file `#{location}` could not be fetched because of a timeout error!")
+                errors.push("Remote file `#{masked_location}` could not be fetched because of a timeout error!")
               rescue Gitlab::HTTP::Error
-                errors.push("Remote file `#{location}` could not be fetched because of HTTP error!")
+                errors.push("Remote file `#{masked_location}` could not be fetched because of HTTP error!")
               rescue Gitlab::HTTP::BlockedUrlError => e
                 errors.push("Remote file could not be fetched because #{e}!")
               end
 
               if response&.code.to_i >= 400
-                errors.push("Remote file `#{location}` could not be fetched because of HTTP code `#{response.code}` error!")
+                errors.push("Remote file `#{masked_location}` could not be fetched because of HTTP code `#{response.code}` error!")
               end
 
               response.body if errors.none?
diff --git a/lib/gitlab/ci/config/external/file/template.rb b/lib/gitlab/ci/config/external/file/template.rb
index 47441fa3818..c3d120dfdce 100644
--- a/lib/gitlab/ci/config/external/file/template.rb
+++ b/lib/gitlab/ci/config/external/file/template.rb
@@ -26,7 +26,7 @@ module Gitlab
               super
 
               unless template_name_valid?
-                errors.push("Template file `#{location}` is not a valid location!")
+                errors.push("Template file `#{masked_location}` is not a valid location!")
               end
             end
 
diff --git a/lib/gitlab/ci/config/external/mapper.rb b/lib/gitlab/ci/config/external/mapper.rb
index fb62b48c076..eae0277314b 100644
--- a/lib/gitlab/ci/config/external/mapper.rb
+++ b/lib/gitlab/ci/config/external/mapper.rb
@@ -143,7 +143,7 @@ module Gitlab
               file_class.new(location, context)
             end.select(&:matching?)
 
-            raise AmbigiousSpecificationError, "Include `#{location.to_json}` needs to match exactly one accessor!" unless matching.one?
+            raise AmbigiousSpecificationError, "Include `#{masked_location(location.to_json)}` needs to match exactly one accessor!" unless matching.one?
 
             matching.first
           end
@@ -182,6 +182,10 @@ module Gitlab
           def expand(data)
             ExpandVariables.expand(data, -> { context.variables_hash })
           end
+
+          def masked_location(location)
+            context.mask_variables_from(location)
+          end
         end
       end
     end
diff --git a/lib/gitlab/database/background_migration/batched_migration_wrapper.rb b/lib/gitlab/database/background_migration/batched_migration_wrapper.rb
index 057f856d859..e9f77d10fea 100644
--- a/lib/gitlab/database/background_migration/batched_migration_wrapper.rb
+++ b/lib/gitlab/database/background_migration/batched_migration_wrapper.rb
@@ -4,10 +4,9 @@ module Gitlab
   module Database
     module BackgroundMigration
       class BatchedMigrationWrapper
-        extend Gitlab::Utils::StrongMemoize
-
-        def initialize(connection: ApplicationRecord.connection)
+        def initialize(connection: ApplicationRecord.connection, metrics: PrometheusMetrics.new)
           @connection = connection
+          @metrics = metrics
         end
 
         # Wraps the execution of a batched_background_migration.
@@ -28,12 +27,12 @@ module Gitlab
 
           raise
         ensure
-          track_prometheus_metrics(batch_tracking_record)
+          metrics.track(batch_tracking_record)
         end
 
         private
 
-        attr_reader :connection
+        attr_reader :connection, :metrics
 
         def start_tracking_execution(tracking_record)
           tracking_record.run!
@@ -63,80 +62,6 @@ module Gitlab
             job_class.new
           end
         end
-
-        def track_prometheus_metrics(tracking_record)
-          migration = tracking_record.batched_migration
-          base_labels = migration.prometheus_labels
-
-          metric_for(:gauge_batch_size).set(base_labels, tracking_record.batch_size)
-          metric_for(:gauge_sub_batch_size).set(base_labels, tracking_record.sub_batch_size)
-          metric_for(:gauge_interval).set(base_labels, tracking_record.batched_migration.interval)
-          metric_for(:gauge_job_duration).set(base_labels, (tracking_record.finished_at - tracking_record.started_at).to_i)
-          metric_for(:counter_updated_tuples).increment(base_labels, tracking_record.batch_size)
-          metric_for(:gauge_migrated_tuples).set(base_labels, tracking_record.batched_migration.migrated_tuple_count)
-          metric_for(:gauge_total_tuple_count).set(base_labels, tracking_record.batched_migration.total_tuple_count)
-          metric_for(:gauge_last_update_time).set(base_labels, Time.current.to_i)
-
-          if metrics = tracking_record.metrics
-            metrics['timings']&.each do |key, timings|
-              summary = metric_for(:histogram_timings)
-              labels = base_labels.merge(operation: key)
-
-              timings.each do |timing|
-                summary.observe(labels, timing)
-              end
-            end
-          end
-        end
-
-        def metric_for(name)
-          self.class.metrics[name]
-        end
-
-        def self.metrics
-          strong_memoize(:metrics) do
-            {
-              gauge_batch_size: Gitlab::Metrics.gauge(
-                :batched_migration_job_batch_size,
-                'Batch size for a batched migration job'
-              ),
-              gauge_sub_batch_size: Gitlab::Metrics.gauge(
-                :batched_migration_job_sub_batch_size,
-                'Sub-batch size for a batched migration job'
-              ),
-              gauge_interval: Gitlab::Metrics.gauge(
-                :batched_migration_job_interval_seconds,
-                'Interval for a batched migration job'
-              ),
-              gauge_job_duration: Gitlab::Metrics.gauge(
-                :batched_migration_job_duration_seconds,
-                'Duration for a batched migration job'
-              ),
-              counter_updated_tuples: Gitlab::Metrics.counter(
-                :batched_migration_job_updated_tuples_total,
-                'Number of tuples updated by batched migration job'
-              ),
-              gauge_migrated_tuples: Gitlab::Metrics.gauge(
-                :batched_migration_migrated_tuples_total,
-                'Total number of tuples migrated by a batched migration'
-              ),
-              histogram_timings: Gitlab::Metrics.histogram(
-                :batched_migration_job_query_duration_seconds,
-                'Query timings for a batched migration job',
-                {},
-                [0.1, 0.25, 0.5, 1, 5].freeze
-              ),
-              gauge_total_tuple_count: Gitlab::Metrics.gauge(
-                :batched_migration_total_tuple_count,
-                'Total tuple count the migration needs to touch'
-              ),
-              gauge_last_update_time: Gitlab::Metrics.gauge(
-                :batched_migration_last_update_time_seconds,
-                'Unix epoch time in seconds'
-              )
-            }
-          end
-        end
       end
     end
   end
diff --git a/lib/gitlab/database/background_migration/prometheus_metrics.rb b/lib/gitlab/database/background_migration/prometheus_metrics.rb
new file mode 100644
index 00000000000..ce1da4c59eb
--- /dev/null
+++ b/lib/gitlab/database/background_migration/prometheus_metrics.rb
@@ -0,0 +1,93 @@
+# frozen_string_literal: true
+
+module Gitlab
+  module Database
+    module BackgroundMigration
+      class PrometheusMetrics
+        extend Gitlab::Utils::StrongMemoize
+
+        QUERY_TIMING_BUCKETS = [0.1, 0.25, 0.5, 1, 5].freeze
+
+        def track(job_record)
+          migration_record = job_record.batched_migration
+          base_labels = migration_record.prometheus_labels
+
+          metric_for(:gauge_batch_size).set(base_labels, job_record.batch_size)
+          metric_for(:gauge_sub_batch_size).set(base_labels, job_record.sub_batch_size)
+          metric_for(:gauge_interval).set(base_labels, job_record.batched_migration.interval)
+          metric_for(:gauge_job_duration).set(base_labels, (job_record.finished_at - job_record.started_at).to_i)
+          metric_for(:counter_updated_tuples).increment(base_labels, job_record.batch_size)
+          metric_for(:gauge_migrated_tuples).set(base_labels, migration_record.migrated_tuple_count)
+          metric_for(:gauge_total_tuple_count).set(base_labels, migration_record.total_tuple_count)
+          metric_for(:gauge_last_update_time).set(base_labels, Time.current.to_i)
+
+          track_timing_metrics(base_labels, job_record.metrics)
+        end
+
+        def self.metrics
+          strong_memoize(:metrics) do
+            {
+              gauge_batch_size: Gitlab::Metrics.gauge(
+                :batched_migration_job_batch_size,
+                'Batch size for a batched migration job'
+              ),
+              gauge_sub_batch_size: Gitlab::Metrics.gauge(
+                :batched_migration_job_sub_batch_size,
+                'Sub-batch size for a batched migration job'
+              ),
+              gauge_interval: Gitlab::Metrics.gauge(
+                :batched_migration_job_interval_seconds,
+                'Interval for a batched migration job'
+              ),
+              gauge_job_duration: Gitlab::Metrics.gauge(
+                :batched_migration_job_duration_seconds,
+                'Duration for a batched migration job'
+              ),
+              counter_updated_tuples: Gitlab::Metrics.counter(
+                :batched_migration_job_updated_tuples_total,
+                'Number of tuples updated by batched migration job'
+              ),
+              gauge_migrated_tuples: Gitlab::Metrics.gauge(
+                :batched_migration_migrated_tuples_total,
+                'Total number of tuples migrated by a batched migration'
+              ),
+              histogram_timings: Gitlab::Metrics.histogram(
+                :batched_migration_job_query_duration_seconds,
+                'Query timings for a batched migration job',
+                {},
+                QUERY_TIMING_BUCKETS
+              ),
+              gauge_total_tuple_count: Gitlab::Metrics.gauge(
+                :batched_migration_total_tuple_count,
+                'Total tuple count the migration needs to touch'
+              ),
+              gauge_last_update_time: Gitlab::Metrics.gauge(
+                :batched_migration_last_update_time_seconds,
+                'Unix epoch time in seconds'
+              )
+            }
+          end
+        end
+
+        private
+
+        def track_timing_metrics(base_labels, metrics)
+          return unless metrics && metrics['timings']
+
+          metrics['timings'].each do |key, timings|
+            summary = metric_for(:histogram_timings)
+            labels = base_labels.merge(operation: key)
+
+            timings.each do |timing|
+              summary.observe(labels, timing)
+            end
+          end
+        end
+
+        def metric_for(name)
+          self.class.metrics[name]
+        end
+      end
+    end
+  end
+end
diff --git a/lib/gitlab/error_tracking.rb b/lib/gitlab/error_tracking.rb
index 259b430a73c..d71f9b5e7cf 100644
--- a/lib/gitlab/error_tracking.rb
+++ b/lib/gitlab/error_tracking.rb
@@ -19,7 +19,8 @@ module Gitlab
     PROCESSORS = [
       ::Gitlab::ErrorTracking::Processor::SidekiqProcessor,
       ::Gitlab::ErrorTracking::Processor::GrpcErrorProcessor,
-      ::Gitlab::ErrorTracking::Processor::ContextPayloadProcessor
+      ::Gitlab::ErrorTracking::Processor::ContextPayloadProcessor,
+      ::Gitlab::ErrorTracking::Processor::SanitizeErrorMessageProcessor
     ].freeze
 
     class << self
diff --git a/lib/gitlab/error_tracking/processor/concerns/processes_exceptions.rb b/lib/gitlab/error_tracking/processor/concerns/processes_exceptions.rb
new file mode 100644
index 00000000000..4b6c69a8b33
--- /dev/null
+++ b/lib/gitlab/error_tracking/processor/concerns/processes_exceptions.rb
@@ -0,0 +1,40 @@
+# frozen_string_literal: true
+
+module Gitlab
+  module ErrorTracking
+    module Processor
+      module Concerns
+        module ProcessesExceptions
+          private
+
+          def extract_exceptions_from(event)
+            exceptions = if event.is_a?(Raven::Event)
+                           event.instance_variable_get(:@interfaces)[:exception]&.values
+                         else
+                           event&.exception&.instance_variable_get(:@values)
+                         end
+
+            Array.wrap(exceptions)
+          end
+
+          def set_exception_message(exception, message)
+            if exception.respond_to?(:value=)
+              exception.value = message
+            else
+              exception.instance_variable_set(:@value, message)
+            end
+          end
+
+          def valid_exception?(exception)
+            case exception
+            when Raven::SingleExceptionInterface, Sentry::SingleExceptionInterface
+              exception&.value.present?
+            else
+              false
+            end
+          end
+        end
+      end
+    end
+  end
+end
diff --git a/lib/gitlab/error_tracking/processor/grpc_error_processor.rb b/lib/gitlab/error_tracking/processor/grpc_error_processor.rb
index 045a18f4110..ab0df39e512 100644
--- a/lib/gitlab/error_tracking/processor/grpc_error_processor.rb
+++ b/lib/gitlab/error_tracking/processor/grpc_error_processor.rb
@@ -4,6 +4,8 @@ module Gitlab
   module ErrorTracking
     module Processor
       module GrpcErrorProcessor
+        extend Gitlab::ErrorTracking::Processor::Concerns::ProcessesExceptions
+
         DEBUG_ERROR_STRING_REGEX = RE2('(.*) debug_error_string:(.*)')
 
         class << self
@@ -19,9 +21,6 @@ module Gitlab
           def process_first_exception_value(event)
             # Better in new version, will be event.exception.values
             exceptions = extract_exceptions_from(event)
-
-            return unless exceptions.is_a?(Array)
-
             exception = exceptions.first
 
             return unless valid_exception?(exception)
@@ -39,11 +38,7 @@ module Gitlab
               exceptions.each do |exception|
                 next unless valid_exception?(exception)
 
-                if exception.respond_to?(:value=)
-                  exception.value = message
-                else
-                  exception.instance_variable_set(:@value, message)
-                end
+                set_exception_message(exception, message)
               end
             end
 
@@ -59,16 +54,6 @@ module Gitlab
             fingerprint[1] = message if message
           end
 
-          private
-
-          def extract_exceptions_from(event)
-            if event.is_a?(Raven::Event)
-              event.instance_variable_get(:@interfaces)[:exception]&.values
-            else
-              event.exception&.instance_variable_get(:@values)
-            end
-          end
-
           def custom_grpc_fingerprint?(fingerprint)
             fingerprint.is_a?(Array) && fingerprint.length == 2 && fingerprint[0].start_with?('GRPC::')
           end
@@ -82,15 +67,6 @@ module Gitlab
 
             [match[1], match[2]]
           end
-
-          def valid_exception?(exception)
-            case exception
-            when Raven::SingleExceptionInterface, Sentry::SingleExceptionInterface
-              exception&.value
-            else
-              false
-            end
-          end
         end
       end
     end
diff --git a/lib/gitlab/error_tracking/processor/sanitize_error_message_processor.rb b/lib/gitlab/error_tracking/processor/sanitize_error_message_processor.rb
new file mode 100644
index 00000000000..1d6547256c7
--- /dev/null
+++ b/lib/gitlab/error_tracking/processor/sanitize_error_message_processor.rb
@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+module Gitlab
+  module ErrorTracking
+    module Processor
+      module SanitizeErrorMessageProcessor
+        extend Gitlab::ErrorTracking::Processor::Concerns::ProcessesExceptions
+
+        class << self
+          def call(event)
+            exceptions = extract_exceptions_from(event)
+
+            exceptions.each do |exception|
+              next unless valid_exception?(exception)
+
+              message = Gitlab::Sanitizers::ExceptionMessage.clean(exception.type, exception.value)
+
+              set_exception_message(exception, message)
+            end
+
+            event
+          end
+        end
+      end
+    end
+  end
+end
diff --git a/lib/gitlab/exception_log_formatter.rb b/lib/gitlab/exception_log_formatter.rb
index 315574fed31..ce802b562f0 100644
--- a/lib/gitlab/exception_log_formatter.rb
+++ b/lib/gitlab/exception_log_formatter.rb
@@ -10,7 +10,7 @@ module Gitlab
         # Use periods to flatten the fields.
         payload.merge!(
           'exception.class' => exception.class.name,
-          'exception.message' => exception.message
+          'exception.message' => sanitize_message(exception)
         )
 
         if exception.backtrace
@@ -38,6 +38,10 @@ module Gitlab
       rescue PgQuery::ParseError
         sql
       end
+
+      def sanitize_message(exception)
+        Gitlab::Sanitizers::ExceptionMessage.clean(exception.class.name, exception.message)
+      end
     end
   end
 end
diff --git a/lib/gitlab/import_export/members_mapper.rb b/lib/gitlab/import_export/members_mapper.rb
index dd7ec361dd8..d3b1bb6a57d 100644
--- a/lib/gitlab/import_export/members_mapper.rb
+++ b/lib/gitlab/import_export/members_mapper.rb
@@ -19,9 +19,8 @@ module Gitlab
             @exported_members.inject(missing_keys_tracking_hash) do |hash, member|
               if member['user']
                 old_user_id = member['user']['id']
-                old_user_email = member.dig('user', 'public_email') || member.dig('user', 'email')
-                existing_user = User.find_by(find_user_query(old_user_email)) if old_user_email
-                hash[old_user_id] = existing_user.id if existing_user && add_team_member(member, existing_user)
+                existing_user_id = existing_users_email_map[get_email(member)]
+                hash[old_user_id] = existing_user_id if existing_user_id && add_team_member(member, existing_user_id)
               else
                 add_team_member(member)
               end
@@ -72,11 +71,45 @@ module Gitlab
         member&.user == @user && member.access_level >= highest_access_level
       end
 
-      def add_team_member(member, existing_user = nil)
-        return true if existing_user && @importable.members.exists?(user_id: existing_user.id)
+      # Returns {email => user_id} hash where user_id is an ID at current instance
+      def existing_users_email_map
+        @existing_users_email_map ||= begin
+          emails = @exported_members.map { |member| get_email(member) }
+
+          User.by_user_email(emails).pluck(:email, :id).to_h
+        end
+      end
+
+      # Returns {user_id => email} hash where user_id is an ID at source "old" instance
+      def exported_members_email_map
+        @exported_members_email_map ||= begin
+          result = {}
+          @exported_members.each do |member|
+            email = get_email(member)
+
+            next unless email
+
+            result[member.dig('user', 'id')] = email
+          end
+
+          result
+        end
+      end
+
+      def get_email(member_data)
+        return unless member_data['user']
+
+        member_data.dig('user', 'public_email') || member_data.dig('user', 'email')
+      end
+
+      def add_team_member(member, existing_user_id = nil)
+        return true if existing_user_id && @importable.members.exists?(user_id: existing_user_id)
 
-        member['user'] = existing_user
         member_hash = member_hash(member)
+        if existing_user_id
+          member_hash.delete('user')
+          member_hash['user_id'] = existing_user_id
+        end
 
         member = relation_class.create(member_hash)
 
@@ -92,11 +125,19 @@ module Gitlab
       end
 
       def member_hash(member)
-        parsed_hash(member).merge(
+        result = parsed_hash(member).merge(
           'source_id' => @importable.id,
           'importing' => true,
           'access_level' => [member['access_level'], highest_access_level].min
         ).except('user_id')
+
+        if result['created_by_id']
+          created_by_email = exported_members_email_map[result['created_by_id']]
+
+          result['created_by_id'] = existing_users_email_map[created_by_email]
+        end
+
+        result
       end
 
       def parsed_hash(member)
@@ -104,14 +145,6 @@ module Gitlab
                                                      relation_class: relation_class)
       end
 
-      def find_user_query(email)
-        user_arel[:email].eq(email)
-      end
-
-      def user_arel
-        @user_arel ||= User.arel_table
-      end
-
       def relation_class
         case @importable
         when ::Project
@@ -143,7 +176,7 @@ module Gitlab
 
       def base_log_params(member_hash)
         {
-          user_id: member_hash['user']&.id,
+          user_id: member_hash['user_id'],
           access_level: member_hash['access_level'],
           importable_type: @importable.class.to_s,
           importable_id: @importable.id,
diff --git a/lib/gitlab/password.rb b/lib/gitlab/password.rb
deleted file mode 100644
index 00aef8754d6..00000000000
--- a/lib/gitlab/password.rb
+++ /dev/null
@@ -1,14 +0,0 @@
-# frozen_string_literal: true
-
-# This module is used to return fake strong password for tests
-
-module Gitlab
-  module Password
-    DEFAULT_LENGTH = 12
-    TEST_DEFAULT = "123qweQWE!@#" + "0" * (User.password_length.max - DEFAULT_LENGTH)
-    def self.test_default(length = 12)
-      password_length = [[User.password_length.min, length].max, User.password_length.max].min
-      TEST_DEFAULT[...password_length]
-    end
-  end
-end
diff --git a/lib/gitlab/sanitizers/exception_message.rb b/lib/gitlab/sanitizers/exception_message.rb
new file mode 100644
index 00000000000..11c91093d88
--- /dev/null
+++ b/lib/gitlab/sanitizers/exception_message.rb
@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+module Gitlab
+  module Sanitizers
+    module ExceptionMessage
+      FILTERED_STRING = '[FILTERED]'
+      EXCEPTION_NAMES = %w(URI::InvalidURIError Addressable::URI::InvalidURIError).freeze
+      MESSAGE_REGEX = %r{(\A[^:]+:\s).*\Z}.freeze
+
+      class << self
+        def clean(exception_name, message)
+          return message unless exception_name.in?(EXCEPTION_NAMES)
+
+          message.sub(MESSAGE_REGEX, '\1' + FILTERED_STRING)
+        end
+      end
+    end
+  end
+end
diff --git a/lib/tasks/gitlab/seed/group_seed.rake b/lib/tasks/gitlab/seed/group_seed.rake
index 491cf782985..a9a350fb6c3 100644
--- a/lib/tasks/gitlab/seed/group_seed.rake
+++ b/lib/tasks/gitlab/seed/group_seed.rake
@@ -125,7 +125,7 @@ class GroupSeeder
       name: FFaker::Name.name,
       email: FFaker::Internet.email,
       confirmed_at: DateTime.now,
-      password: Gitlab::Password.test_default
+      password: Devise.friendly_token
     )
   end
 
diff --git a/locale/gitlab.pot b/locale/gitlab.pot
index 0d9c0c70d1e..ef0acfb4533 100644
--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@@ -10829,43 +10829,25 @@ msgstr ""
 msgid "Critical vulnerabilities present"
 msgstr ""
 
-msgid "Crm|Contact has been added"
+msgid "Crm|Contact has been added."
 msgstr ""
 
-msgid "Crm|Contact has been updated"
+msgid "Crm|Contact has been updated."
 msgstr ""
 
-msgid "Crm|Create new contact"
+msgid "Crm|Customer relations contacts"
 msgstr ""
 
-msgid "Crm|Create organization"
+msgid "Crm|Customer relations organizations"
 msgstr ""
 
-msgid "Crm|Customer Relations Contacts"
-msgstr ""
-
-msgid "Crm|Customer Relations Organizations"
-msgstr ""
-
-msgid "Crm|Default rate (optional)"
-msgstr ""
-
-msgid "Crm|Description (optional)"
+msgid "Crm|Default rate"
 msgstr ""
 
 msgid "Crm|Edit contact"
 msgstr ""
 
-msgid "Crm|Email"
-msgstr ""
-
-msgid "Crm|First name"
-msgstr ""
-
-msgid "Crm|Last name"
-msgstr ""
-
-msgid "Crm|New Organization"
+msgid "Crm|Edit organization"
 msgstr ""
 
 msgid "Crm|New contact"
@@ -10880,10 +10862,10 @@ msgstr ""
 msgid "Crm|No organizations found"
 msgstr ""
 
-msgid "Crm|Organization has been added"
+msgid "Crm|Organization has been added."
 msgstr ""
 
-msgid "Crm|Phone number (optional)"
+msgid "Crm|Organization has been updated."
 msgstr ""
 
 msgid "Cron Timezone"
@@ -10994,18 +10976,18 @@ msgstr ""
 msgid "Custom range (UTC)"
 msgstr ""
 
-msgid "Customer Relations Contacts"
-msgstr ""
-
-msgid "Customer Relations Organizations"
-msgstr ""
-
 msgid "Customer experience improvement and third-party offers"
 msgstr ""
 
 msgid "Customer relations"
 msgstr ""
 
+msgid "Customer relations contacts"
+msgstr ""
+
+msgid "Customer relations organizations"
+msgstr ""
+
 msgid "Customize CI/CD settings, including Auto DevOps, shared runners, and job artifacts."
 msgstr ""
 
@@ -13223,6 +13205,9 @@ msgstr ""
 msgid "Dismissed on pipeline %{pipelineLink} at %{projectLink}"
 msgstr ""
 
+msgid "Display"
+msgstr ""
+
 msgid "Display alerts from all configured monitoring tools."
 msgstr ""
 
@@ -27269,6 +27254,9 @@ msgstr ""
 msgid "Phabricator Tasks"
 msgstr ""
 
+msgid "Phone"
+msgstr ""
+
 msgid "Pick a name"
 msgstr ""
 
diff --git a/package.json b/package.json
index 99db42bdc8f..794321f4cb6 100644
--- a/package.json
+++ b/package.json
@@ -170,7 +170,7 @@
     "sortablejs": "^1.10.2",
     "string-hash": "1.1.3",
     "style-loader": "^2.0.0",
-    "swagger-ui-dist": "^3.52.3",
+    "swagger-ui-dist": "4.8.0",
     "three": "^0.84.0",
     "three-orbit-controls": "^82.1.0",
     "three-stl-loader": "^1.0.4",
diff --git a/spec/controllers/admin/users_controller_spec.rb b/spec/controllers/admin/users_controller_spec.rb
index c52223d4758..c46a12680a2 100644
--- a/spec/controllers/admin/users_controller_spec.rb
+++ b/spec/controllers/admin/users_controller_spec.rb
@@ -612,8 +612,8 @@ RSpec.describe Admin::UsersController do
       end
 
       context 'when the new password does not match the password confirmation' do
-        let(:password) { Gitlab::Password.test_default }
-        let(:password_confirmation) { "not" + Gitlab::Password.test_default }
+        let(:password) { 'some_password' }
+        let(:password_confirmation) { 'not_same_as_password' }
 
         it 'shows the edit page again' do
           update_password(user, password, password_confirmation)
diff --git a/spec/controllers/projects/merge_requests/creations_controller_spec.rb b/spec/controllers/projects/merge_requests/creations_controller_spec.rb
index 3c650988b4f..a061a14c7b1 100644
--- a/spec/controllers/projects/merge_requests/creations_controller_spec.rb
+++ b/spec/controllers/projects/merge_requests/creations_controller_spec.rb
@@ -186,6 +186,7 @@ RSpec.describe Projects::MergeRequests::CreationsController do
 
     it 'fetches the commit if a user has access' do
       expect(Ability).to receive(:allowed?).with(user, :read_project, project) { true }
+      expect(Ability).to receive(:allowed?).with(user, :create_merge_request_in, project) { true }.at_least(:once)
 
       get :branch_to,
           params: {
@@ -199,8 +200,25 @@ RSpec.describe Projects::MergeRequests::CreationsController do
       expect(response).to have_gitlab_http_status(:ok)
     end
 
+    it 'does not load the commit when the user cannot create_merge_request_in' do
+      expect(Ability).to receive(:allowed?).with(user, :read_project, project) { true }
+      expect(Ability).to receive(:allowed?).with(user, :create_merge_request_in, project) { false }.at_least(:once)
+
+      get :branch_to,
+          params: {
+            namespace_id: fork_project.namespace,
+            project_id: fork_project,
+            target_project_id: project.id,
+            ref: 'master'
+          }
+
+      expect(assigns(:commit)).to be_nil
+      expect(response).to have_gitlab_http_status(:ok)
+    end
+
     it 'does not load the commit when the user cannot read the project' do
       expect(Ability).to receive(:allowed?).with(user, :read_project, project) { false }
+      expect(Ability).to receive(:allowed?).with(user, :create_merge_request_in, project) { true }.at_least(:once)
 
       get :branch_to,
           params: {
diff --git a/spec/controllers/projects/mirrors_controller_spec.rb b/spec/controllers/projects/mirrors_controller_spec.rb
index 7bc86d7c583..686effd799e 100644
--- a/spec/controllers/projects/mirrors_controller_spec.rb
+++ b/spec/controllers/projects/mirrors_controller_spec.rb
@@ -177,6 +177,7 @@ RSpec.describe Projects::MirrorsController do
         INVALID
         git@example.com:foo/bar.git
         ssh://git@example.com:foo/bar.git
+        ssh://127.0.0.1/foo/bar.git
       ].each do |url|
         it "returns an error with a 400 response for URL #{url.inspect}" do
           do_get(project, url)
diff --git a/spec/controllers/registrations_controller_spec.rb b/spec/controllers/registrations_controller_spec.rb
index af34ae2f69b..caff7bcfc7b 100644
--- a/spec/controllers/registrations_controller_spec.rb
+++ b/spec/controllers/registrations_controller_spec.rb
@@ -521,7 +521,7 @@ RSpec.describe RegistrationsController do
       end
 
       it 'succeeds if password is confirmed' do
-        post :destroy, params: { password: Gitlab::Password.test_default }
+        post :destroy, params: { password: '12345678' }
 
         expect_success
       end
@@ -562,7 +562,7 @@ RSpec.describe RegistrationsController do
           end
 
           it 'fails' do
-            delete :destroy, params: { password: Gitlab::Password.test_default }
+            delete :destroy, params: { password: '12345678' }
 
             expect_failure(s_('Profiles|You must transfer ownership or delete groups you are an owner of before you can delete your account'))
           end
diff --git a/spec/factories/users.rb b/spec/factories/users.rb
index eb89cb0a40a..70b0af8a36c 100644
--- a/spec/factories/users.rb
+++ b/spec/factories/users.rb
@@ -5,7 +5,7 @@ FactoryBot.define do
     email { generate(:email) }
     name { generate(:name) }
     username { generate(:username) }
-    password { Gitlab::Password.test_default }
+    password { "12345678" }
     role { 'software_developer' }
     confirmed_at { Time.now }
     confirmation_token { nil }
@@ -27,6 +27,10 @@ FactoryBot.define do
       after(:build) { |user, _| user.block! }
     end
 
+    trait :disallowed_password do
+      password { User::DISALLOWED_PASSWORDS.first }
+    end
+
     trait :blocked_pending_approval do
       after(:build) { |user, _| user.block_pending_approval! }
     end
diff --git a/spec/features/markdown/kroki_spec.rb b/spec/features/markdown/kroki_spec.rb
new file mode 100644
index 00000000000..f02f5d44244
--- /dev/null
+++ b/spec/features/markdown/kroki_spec.rb
@@ -0,0 +1,55 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe 'kroki rendering', :js do
+  let_it_be(:project) { create(:project, :public) }
+
+  before do
+    stub_application_setting(kroki_enabled: true, kroki_url: 'http://localhost:8000')
+  end
+
+  it 'shows kroki image' do
+    plain_text = 'This text length is ignored. ' * 300
+
+    description = <<~KROKI
+      #{plain_text}
+      ```plantuml
+      A -> A: T
+      ```
+    KROKI
+
+    issue = create(:issue, project: project, description: description)
+
+    visit project_issue_path(project, issue)
+
+    within('.description') do
+      expect(page).to have_css('img')
+      expect(page).not_to have_text 'Warning: Displaying this diagram might cause performance issues on this page.'
+    end
+  end
+
+  it 'hides kroki image and shows warning alert when kroki source size is large' do
+    plantuml_text = 'A -> A: T ' * 300
+
+    description = <<~KROKI
+      ```plantuml
+      #{plantuml_text}
+      ```
+    KROKI
+
+    issue = create(:issue, project: project, description: description)
+
+    visit project_issue_path(project, issue)
+
+    within('.description') do
+      expect(page).not_to have_css('img')
+      expect(page).to have_text 'Warning: Displaying this diagram might cause performance issues on this page.'
+
+      click_button 'Display'
+
+      expect(page).to have_css('img')
+      expect(page).not_to have_text 'Warning: Displaying this diagram might cause performance issues on this page.'
+    end
+  end
+end
diff --git a/spec/features/password_reset_spec.rb b/spec/features/password_reset_spec.rb
index a4e167a3e75..f89e19f5361 100644
--- a/spec/features/password_reset_spec.rb
+++ b/spec/features/password_reset_spec.rb
@@ -44,8 +44,8 @@ RSpec.describe 'Password reset' do
 
       visit(edit_user_password_path(reset_password_token: token))
 
-      fill_in 'New password', with: "new" + Gitlab::Password.test_default
-      fill_in 'Confirm new password', with: "new" + Gitlab::Password.test_default
+      fill_in 'New password', with: 'hello1234'
+      fill_in 'Confirm new password', with: 'hello1234'
 
       click_button 'Change your password'
 
diff --git a/spec/features/profile_spec.rb b/spec/features/profile_spec.rb
index 34eb07d78f1..36657406303 100644
--- a/spec/features/profile_spec.rb
+++ b/spec/features/profile_spec.rb
@@ -29,7 +29,7 @@ RSpec.describe 'Profile account page', :js do
     it 'deletes user', :js, :sidekiq_might_not_need_inline do
       click_button 'Delete account'
 
-      fill_in 'password', with: Gitlab::Password.test_default
+      fill_in 'password', with: '12345678'
 
       page.within '.modal' do
         click_button 'Delete account'
diff --git a/spec/features/profiles/password_spec.rb b/spec/features/profiles/password_spec.rb
index 2181285f771..7eadb74d2d4 100644
--- a/spec/features/profiles/password_spec.rb
+++ b/spec/features/profiles/password_spec.rb
@@ -39,7 +39,7 @@ RSpec.describe 'Profile > Password' do
 
       describe 'User puts the same passwords in the field and in the confirmation' do
         it 'shows a success message' do
-          fill_passwords(Gitlab::Password.test_default, Gitlab::Password.test_default)
+          fill_passwords('mypassword', 'mypassword')
 
           page.within('[data-testid="alert-info"]') do
             expect(page).to have_content('Password was successfully updated. Please sign in again.')
@@ -79,7 +79,7 @@ RSpec.describe 'Profile > Password' do
   end
 
   context 'Change password' do
-    let(:new_password) { "new" + Gitlab::Password.test_default }
+    let(:new_password) { '22233344' }
 
     before do
       sign_in(user)
@@ -170,8 +170,8 @@ RSpec.describe 'Profile > Password' do
       expect(page).to have_current_path new_profile_password_path, ignore_query: true
 
       fill_in :user_password,      with: user.password
-      fill_in :user_new_password,  with: Gitlab::Password.test_default
-      fill_in :user_password_confirmation, with: Gitlab::Password.test_default
+      fill_in :user_new_password,  with: '12345678'
+      fill_in :user_password_confirmation, with: '12345678'
       click_button 'Set new password'
 
       expect(page).to have_current_path new_user_session_path, ignore_query: true
diff --git a/spec/features/projects/blobs/blob_show_spec.rb b/spec/features/projects/blobs/blob_show_spec.rb
index 05fd72a8932..76baad63cc2 100644
--- a/spec/features/projects/blobs/blob_show_spec.rb
+++ b/spec/features/projects/blobs/blob_show_spec.rb
@@ -948,6 +948,53 @@ RSpec.describe 'File blob', :js do
           end
         end
       end
+
+      context 'openapi.yml' do
+        before do
+          file_name = 'openapi.yml'
+
+          create_file(file_name, '
+              swagger: \'2.0\'
+              info:
+                title: Classic API Resource Documentation
+                description: |
+                        <div class="foo-bar" style="background-color: red;" data-foo-bar="baz">
+                          <h1>Swagger API documentation</h1>
+                        </div>
+                version: production
+              basePath: /JSSResource/
+              produces:
+                - application/xml
+                - application/json
+              consumes:
+                - application/xml
+                - application/json
+              security:
+                - basicAuth: []
+              paths:
+                /accounts:
+                  get:
+                    responses:
+                      \'200\':
+                        description: No response was specified
+                    tags:
+                      - accounts
+                    operationId: findAccounts
+                    summary: Finds all accounts
+            ')
+          visit_blob(file_name, useUnsafeMarkdown: '1')
+          click_button('Display rendered file')
+
+          wait_for_requests
+        end
+
+        it 'removes `style`, `class`, and `data-*`` attributes from HTML' do
+          expect(page).to have_css('h1', text: 'Swagger API documentation')
+          expect(page).not_to have_css('.foo-bar')
+          expect(page).not_to have_css('[style="background-color: red;"]')
+          expect(page).not_to have_css('[data-foo-bar="baz"]')
+        end
+      end
     end
 
     context 'realtime pipelines' do
diff --git a/spec/features/refactor_blob_viewer_disabled/projects/blobs/blob_show_spec.rb b/spec/features/refactor_blob_viewer_disabled/projects/blobs/blob_show_spec.rb
index 659014c922b..5574b4da383 100644
--- a/spec/features/refactor_blob_viewer_disabled/projects/blobs/blob_show_spec.rb
+++ b/spec/features/refactor_blob_viewer_disabled/projects/blobs/blob_show_spec.rb
@@ -1050,6 +1050,53 @@ RSpec.describe 'File blob', :js do
         end
       end
     end
+
+    context 'openapi.yml' do
+      before do
+        file_name = 'openapi.yml'
+
+        create_file(file_name, '
+            swagger: \'2.0\'
+            info:
+              title: Classic API Resource Documentation
+              description: |
+                      <div class="foo-bar" style="background-color: red;" data-foo-bar="baz">
+                        <h1>Swagger API documentation</h1>
+                      </div>
+              version: production
+            basePath: /JSSResource/
+            produces:
+              - application/xml
+              - application/json
+            consumes:
+              - application/xml
+              - application/json
+            security:
+              - basicAuth: []
+            paths:
+              /accounts:
+                get:
+                  responses:
+                    \'200\':
+                      description: No response was specified
+                  tags:
+                    - accounts
+                  operationId: findAccounts
+                  summary: Finds all accounts
+          ')
+        visit_blob(file_name, useUnsafeMarkdown: '1')
+        click_button('Display rendered file')
+
+        wait_for_requests
+      end
+
+      it 'removes `style`, `class`, and `data-*`` attributes from HTML' do
+        expect(page).to have_css('h1', text: 'Swagger API documentation')
+        expect(page).not_to have_css('.foo-bar')
+        expect(page).not_to have_css('[style="background-color: red;"]')
+        expect(page).not_to have_css('[data-foo-bar="baz"]')
+      end
+    end
   end
 
   context 'realtime pipelines' do
diff --git a/spec/features/users/anonymous_sessions_spec.rb b/spec/features/users/anonymous_sessions_spec.rb
index f9b23626397..6b21412ae3d 100644
--- a/spec/features/users/anonymous_sessions_spec.rb
+++ b/spec/features/users/anonymous_sessions_spec.rb
@@ -9,7 +9,7 @@ RSpec.describe 'Session TTLs', :clean_gitlab_redis_shared_state do
     visit new_user_session_path
     # The session key only gets created after a post
     fill_in 'user_login', with: 'non-existant@gitlab.org'
-    fill_in 'user_password', with: Gitlab::Password.test_default
+    fill_in 'user_password', with: '12345678'
     click_button 'Sign in'
 
     expect(page).to have_content('Invalid login or password')
diff --git a/spec/features/users/login_spec.rb b/spec/features/users/login_spec.rb
index 4d06415e203..8610cae58a4 100644
--- a/spec/features/users/login_spec.rb
+++ b/spec/features/users/login_spec.rb
@@ -49,15 +49,15 @@ RSpec.describe 'Login', :clean_gitlab_redis_sessions do
       expect(page).to have_current_path edit_user_password_path, ignore_query: true
       expect(page).to have_content('Please create a password for your new account.')
 
-      fill_in 'user_password',              with: Gitlab::Password.test_default
-      fill_in 'user_password_confirmation', with: Gitlab::Password.test_default
+      fill_in 'user_password',              with: 'password'
+      fill_in 'user_password_confirmation', with: 'password'
       click_button 'Change your password'
 
       expect(page).to have_current_path new_user_session_path, ignore_query: true
       expect(page).to have_content(I18n.t('devise.passwords.updated_not_active'))
 
       fill_in 'user_login',    with: user.username
-      fill_in 'user_password', with: Gitlab::Password.test_default
+      fill_in 'user_password', with: 'password'
       click_button 'Sign in'
 
       expect_single_session_with_authenticated_ttl
@@ -150,6 +150,27 @@ RSpec.describe 'Login', :clean_gitlab_redis_sessions do
     end
   end
 
+  describe 'with a disallowed password' do
+    let(:user) { create(:user, :disallowed_password) }
+
+    before do
+      expect(authentication_metrics)
+        .to increment(:user_unauthenticated_counter)
+        .and increment(:user_password_invalid_counter)
+    end
+
+    it 'disallows login' do
+      gitlab_sign_in(user, password: user.password)
+
+      expect(page).to have_content('Invalid login or password.')
+    end
+
+    it 'does not update Devise trackable attributes' do
+      expect { gitlab_sign_in(user, password: user.password) }
+        .not_to change { User.ghost.reload.sign_in_count }
+    end
+  end
+
   describe 'with the ghost user' do
     it 'disallows login' do
       expect(authentication_metrics)
@@ -210,7 +231,7 @@ RSpec.describe 'Login', :clean_gitlab_redis_sessions do
       end
 
       it 'does not allow sign-in if the user password is updated before entering a one-time code' do
-        user.update!(password: "new" + Gitlab::Password.test_default)
+        user.update!(password: 'new_password')
 
         enter_code(user.current_otp)
 
@@ -447,7 +468,7 @@ RSpec.describe 'Login', :clean_gitlab_redis_sessions do
           visit new_user_session_path
 
           fill_in 'user_login', with: user.email
-          fill_in 'user_password', with: Gitlab::Password.test_default
+          fill_in 'user_password', with: '12345678'
           click_button 'Sign in'
 
           expect(page).to have_current_path(new_profile_password_path, ignore_query: true)
@@ -456,7 +477,7 @@ RSpec.describe 'Login', :clean_gitlab_redis_sessions do
     end
 
     context 'with invalid username and password' do
-      let(:user) { create(:user, password: "not" + Gitlab::Password.test_default) }
+      let(:user) { create(:user, password: 'not-the-default') }
 
       it 'blocks invalid login' do
         expect(authentication_metrics)
@@ -767,7 +788,7 @@ RSpec.describe 'Login', :clean_gitlab_redis_sessions do
       visit new_user_session_path
 
       fill_in 'user_login', with: user.email
-      fill_in 'user_password', with: Gitlab::Password.test_default
+      fill_in 'user_password', with: '12345678'
 
       click_button 'Sign in'
 
@@ -788,7 +809,7 @@ RSpec.describe 'Login', :clean_gitlab_redis_sessions do
       visit new_user_session_path
 
       fill_in 'user_login', with: user.email
-      fill_in 'user_password', with: Gitlab::Password.test_default
+      fill_in 'user_password', with: '12345678'
 
       click_button 'Sign in'
 
@@ -810,7 +831,7 @@ RSpec.describe 'Login', :clean_gitlab_redis_sessions do
           visit new_user_session_path
 
           fill_in 'user_login', with: user.email
-          fill_in 'user_password', with: Gitlab::Password.test_default
+          fill_in 'user_password', with: '12345678'
 
           click_button 'Sign in'
 
@@ -845,7 +866,7 @@ RSpec.describe 'Login', :clean_gitlab_redis_sessions do
           visit new_user_session_path
 
           fill_in 'user_login', with: user.email
-          fill_in 'user_password', with: Gitlab::Password.test_default
+          fill_in 'user_password', with: '12345678'
           click_button 'Sign in'
 
           fill_in 'user_otp_attempt', with: user.reload.current_otp
@@ -871,7 +892,7 @@ RSpec.describe 'Login', :clean_gitlab_redis_sessions do
         visit new_user_session_path
 
         fill_in 'user_login', with: user.email
-        fill_in 'user_password', with: Gitlab::Password.test_default
+        fill_in 'user_password', with: '12345678'
         click_button 'Sign in'
 
         expect_to_be_on_terms_page
@@ -879,7 +900,7 @@ RSpec.describe 'Login', :clean_gitlab_redis_sessions do
 
         expect(page).to have_current_path(new_profile_password_path, ignore_query: true)
 
-        fill_in 'user_password', with: Gitlab::Password.test_default
+        fill_in 'user_password', with: '12345678'
         fill_in 'user_new_password', with: 'new password'
         fill_in 'user_password_confirmation', with: 'new password'
         click_button 'Set new password'
diff --git a/spec/fixtures/markdown/markdown_golden_master_examples.yml b/spec/fixtures/markdown/markdown_golden_master_examples.yml
index 70a23d09c62..bdd7c13c1a3 100644
--- a/spec/fixtures/markdown/markdown_golden_master_examples.yml
+++ b/spec/fixtures/markdown/markdown_golden_master_examples.yml
@@ -391,7 +391,7 @@
       ]
     ```
   html: |-
-    <a class="no-attachment-icon" href="http://localhost:8000/nomnoml/svg/eNp1jbsOwjAMRfd-haUuIJQBBlRFVZb2L1CGkBqpgtpR6oEhH0_CW6hsts-9xwD1LJHPqKF2zX67ayqAQ3uKbkLTo-fohCMEJ4KRUoYFu2MuOS-m4ykwIUlKG-CAOT0yrdb2EewuY2YWBgxIwwxKmXx8dZ6h95ekgPAqGv4miuk-YnEVFfmIgr-Fzw6tVt-CZb7osdUNUAReJA==" target="_blank" rel="noopener noreferrer" data-diagram="nomnoml" data-diagram-src="data:text/plain;base64,ICAjc3Ryb2tlOiAjYTg2MTI4CiAgWzxmcmFtZT5EZWNvcmF0b3IgcGF0dGVybnwKICAgIFs8YWJzdHJhY3Q+Q29tcG9uZW50fHwrIG9wZXJhdGlvbigpXQogICAgW0NsaWVudF0gZGVwZW5kcyAtLT4gW0NvbXBvbmVudF0KICAgIFtEZWNvcmF0b3J8LSBuZXh0OiBDb21wb25lbnRdCiAgICBbRGVjb3JhdG9yXSBkZWNvcmF0ZXMgLS0gW0NvbmNyZXRlQ29tcG9uZW50XQogICAgW0NvbXBvbmVudF0gPDotIFtEZWNvcmF0b3JdCiAgICBbQ29tcG9uZW50XSA8Oi0gW0NvbmNyZXRlQ29tcG9uZW50XQogIF0K"><img src="data:image/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==" class="lazy" data-src="http://localhost:8000/nomnoml/svg/eNp1jbsOwjAMRfd-haUuIJQBBlRFVZb2L1CGkBqpgtpR6oEhH0_CW6hsts-9xwD1LJHPqKF2zX67ayqAQ3uKbkLTo-fohCMEJ4KRUoYFu2MuOS-m4ykwIUlKG-CAOT0yrdb2EewuY2YWBgxIwwxKmXx8dZ6h95ekgPAqGv4miuk-YnEVFfmIgr-Fzw6tVt-CZb7osdUNUAReJA=="></a>
+    <a class="no-attachment-icon" href="http://localhost:8000/nomnoml/svg/eNp1jbsOwjAMRfd-haUuIJQBBlRFVZb2L1CGkBqpgtpR6oEhH0_CW6hsts-9xwD1LJHPqKF2zX67ayqAQ3uKbkLTo-fohCMEJ4KRUoYFu2MuOS-m4ykwIUlKG-CAOT0yrdb2EewuY2YWBgxIwwxKmXx8dZ6h95ekgPAqGv4miuk-YnEVFfmIgr-Fzw6tVt-CZb7osdUNUAReJA==" target="_blank" rel="noopener noreferrer" data-diagram="nomnoml" data-diagram-src="data:text/plain;base64,ICAjc3Ryb2tlOiAjYTg2MTI4CiAgWzxmcmFtZT5EZWNvcmF0b3IgcGF0dGVybnwKICAgIFs8YWJzdHJhY3Q+Q29tcG9uZW50fHwrIG9wZXJhdGlvbigpXQogICAgW0NsaWVudF0gZGVwZW5kcyAtLT4gW0NvbXBvbmVudF0KICAgIFtEZWNvcmF0b3J8LSBuZXh0OiBDb21wb25lbnRdCiAgICBbRGVjb3JhdG9yXSBkZWNvcmF0ZXMgLS0gW0NvbmNyZXRlQ29tcG9uZW50XQogICAgW0NvbXBvbmVudF0gPDotIFtEZWNvcmF0b3JdCiAgICBbQ29tcG9uZW50XSA8Oi0gW0NvbmNyZXRlQ29tcG9uZW50XQogIF0K"><img src="data:image/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==" class="js-render-kroki lazy" data-src="http://localhost:8000/nomnoml/svg/eNp1jbsOwjAMRfd-haUuIJQBBlRFVZb2L1CGkBqpgtpR6oEhH0_CW6hsts-9xwD1LJHPqKF2zX67ayqAQ3uKbkLTo-fohCMEJ4KRUoYFu2MuOS-m4ykwIUlKG-CAOT0yrdb2EewuY2YWBgxIwwxKmXx8dZ6h95ekgPAqGv4miuk-YnEVFfmIgr-Fzw6tVt-CZb7osdUNUAReJA=="></a>
 
 - name: diagram_plantuml
   markdown: |-
diff --git a/spec/frontend/behaviors/components/diagram_performance_warning_spec.js b/spec/frontend/behaviors/components/diagram_performance_warning_spec.js
new file mode 100644
index 00000000000..c58c2bc55a9
--- /dev/null
+++ b/spec/frontend/behaviors/components/diagram_performance_warning_spec.js
@@ -0,0 +1,40 @@
+import { GlAlert } from '@gitlab/ui';
+import { shallowMount } from '@vue/test-utils';
+import DiagramPerformanceWarning from '~/behaviors/components/diagram_performance_warning.vue';
+
+describe('DiagramPerformanceWarning component', () => {
+  let wrapper;
+
+  const findAlert = () => wrapper.findComponent(GlAlert);
+
+  beforeEach(() => {
+    wrapper = shallowMount(DiagramPerformanceWarning);
+  });
+
+  afterEach(() => {
+    wrapper.destroy();
+  });
+
+  it('renders warning alert with button', () => {
+    expect(findAlert().props()).toMatchObject({
+      primaryButtonText: DiagramPerformanceWarning.i18n.buttonText,
+      variant: 'warning',
+    });
+  });
+
+  it('renders warning message', () => {
+    expect(findAlert().text()).toBe(DiagramPerformanceWarning.i18n.bodyText);
+  });
+
+  it('emits event when closing alert', () => {
+    findAlert().vm.$emit('dismiss');
+
+    expect(wrapper.emitted('closeAlert')).toEqual([[]]);
+  });
+
+  it('emits event when accepting alert', () => {
+    findAlert().vm.$emit('primaryAction');
+
+    expect(wrapper.emitted('showImage')).toEqual([[]]);
+  });
+});
diff --git a/spec/frontend/crm/contact_form_spec.js b/spec/frontend/crm/contact_form_spec.js
deleted file mode 100644
index 0edab4f5ec5..00000000000
--- a/spec/frontend/crm/contact_form_spec.js
+++ /dev/null
@@ -1,157 +0,0 @@
-import { GlAlert } from '@gitlab/ui';
-import Vue from 'vue';
-import VueApollo from 'vue-apollo';
-import { shallowMountExtended } from 'helpers/vue_test_utils_helper';
-import createMockApollo from 'helpers/mock_apollo_helper';
-import waitForPromises from 'helpers/wait_for_promises';
-import ContactForm from '~/crm/components/contact_form.vue';
-import createContactMutation from '~/crm/components/queries/create_contact.mutation.graphql';
-import updateContactMutation from '~/crm/components/queries/update_contact.mutation.graphql';
-import getGroupContactsQuery from '~/crm/components/queries/get_group_contacts.query.graphql';
-import {
-  createContactMutationErrorResponse,
-  createContactMutationResponse,
-  getGroupContactsQueryResponse,
-  updateContactMutationErrorResponse,
-  updateContactMutationResponse,
-} from './mock_data';
-
-describe('Customer relations contact form component', () => {
-  Vue.use(VueApollo);
-  let wrapper;
-  let fakeApollo;
-  let mutation;
-  let queryHandler;
-
-  const findSaveContactButton = () => wrapper.findByTestId('save-contact-button');
-  const findCancelButton = () => wrapper.findByTestId('cancel-button');
-  const findForm = () => wrapper.find('form');
-  const findError = () => wrapper.findComponent(GlAlert);
-
-  const mountComponent = ({ mountFunction = shallowMountExtended, editForm = false } = {}) => {
-    fakeApollo = createMockApollo([[mutation, queryHandler]]);
-    fakeApollo.clients.defaultClient.cache.writeQuery({
-      query: getGroupContactsQuery,
-      variables: { groupFullPath: 'flightjs' },
-      data: getGroupContactsQueryResponse.data,
-    });
-    const propsData = { drawerOpen: true };
-    if (editForm)
-      propsData.contact = { firstName: 'First', lastName: 'Last', email: 'email@example.com' };
-    wrapper = mountFunction(ContactForm, {
-      provide: { groupId: 26, groupFullPath: 'flightjs' },
-      apolloProvider: fakeApollo,
-      propsData,
-    });
-  };
-
-  beforeEach(() => {
-    mutation = createContactMutation;
-    queryHandler = jest.fn().mockResolvedValue(createContactMutationResponse);
-  });
-
-  afterEach(() => {
-    wrapper.destroy();
-    fakeApollo = null;
-  });
-
-  describe('Save contact button', () => {
-    it('should be disabled when required fields are empty', () => {
-      mountComponent();
-
-      expect(findSaveContactButton().props('disabled')).toBe(true);
-    });
-
-    it('should not be disabled when required fields have values', async () => {
-      mountComponent();
-
-      wrapper.find('#contact-first-name').vm.$emit('input', 'A');
-      wrapper.find('#contact-last-name').vm.$emit('input', 'B');
-      wrapper.find('#contact-email').vm.$emit('input', 'C');
-      await waitForPromises();
-
-      expect(findSaveContactButton().props('disabled')).toBe(false);
-    });
-  });
-
-  it("should emit 'close' when cancel button is clicked", () => {
-    mountComponent();
-
-    findCancelButton().vm.$emit('click');
-
-    expect(wrapper.emitted().close).toBeTruthy();
-  });
-
-  describe('when create mutation is successful', () => {
-    it("should emit 'close'", async () => {
-      mountComponent();
-
-      findForm().trigger('submit');
-      await waitForPromises();
-
-      expect(wrapper.emitted().close).toBeTruthy();
-    });
-  });
-
-  describe('when create mutation fails', () => {
-    it('should show error on reject', async () => {
-      queryHandler = jest.fn().mockRejectedValue('ERROR');
-      mountComponent();
-
-      findForm().trigger('submit');
-      await waitForPromises();
-
-      expect(findError().exists()).toBe(true);
-    });
-
-    it('should show error on error response', async () => {
-      queryHandler = jest.fn().mockResolvedValue(createContactMutationErrorResponse);
-      mountComponent();
-
-      findForm().trigger('submit');
-      await waitForPromises();
-
-      expect(findError().exists()).toBe(true);
-      expect(findError().text()).toBe('create contact is invalid.');
-    });
-  });
-
-  describe('when update mutation is successful', () => {
-    it("should emit 'close'", async () => {
-      mutation = updateContactMutation;
-      queryHandler = jest.fn().mockResolvedValue(updateContactMutationResponse);
-      mountComponent({ editForm: true });
-
-      findForm().trigger('submit');
-      await waitForPromises();
-
-      expect(wrapper.emitted().close).toBeTruthy();
-    });
-  });
-
-  describe('when update mutation fails', () => {
-    beforeEach(() => {
-      mutation = updateContactMutation;
-    });
-
-    it('should show error on reject', async () => {
-      queryHandler = jest.fn().mockRejectedValue('ERROR');
-      mountComponent({ editForm: true });
-      findForm().trigger('submit');
-      await waitForPromises();
-
-      expect(findError().exists()).toBe(true);
-    });
-
-    it('should show error on error response', async () => {
-      queryHandler = jest.fn().mockResolvedValue(updateContactMutationErrorResponse);
-      mountComponent({ editForm: true });
-
-      findForm().trigger('submit');
-      await waitForPromises();
-
-      expect(findError().exists()).toBe(true);
-      expect(findError().text()).toBe('update contact is invalid.');
-    });
-  });
-});
diff --git a/spec/frontend/crm/contact_form_wrapper_spec.js b/spec/frontend/crm/contact_form_wrapper_spec.js
new file mode 100644
index 00000000000..6307889a7aa
--- /dev/null
+++ b/spec/frontend/crm/contact_form_wrapper_spec.js
@@ -0,0 +1,88 @@
+import { shallowMountExtended } from 'helpers/vue_test_utils_helper';
+import ContactFormWrapper from '~/crm/contacts/components/contact_form_wrapper.vue';
+import ContactForm from '~/crm/components/form.vue';
+import getGroupContactsQuery from '~/crm/contacts/components/graphql/get_group_contacts.query.graphql';
+import createContactMutation from '~/crm/contacts/components/graphql/create_contact.mutation.graphql';
+import updateContactMutation from '~/crm/contacts/components/graphql/update_contact.mutation.graphql';
+
+describe('Customer relations contact form wrapper', () => {
+  let wrapper;
+
+  const findContactForm = () => wrapper.findComponent(ContactForm);
+
+  const $apollo = {
+    queries: {
+      contacts: {
+        loading: false,
+      },
+    },
+  };
+  const $route = {
+    params: {
+      id: 7,
+    },
+  };
+  const contacts = [{ id: 'gid://gitlab/CustomerRelations::Contact/7' }];
+
+  const mountComponent = ({ isEditMode = false } = {}) => {
+    wrapper = shallowMountExtended(ContactFormWrapper, {
+      propsData: {
+        isEditMode,
+      },
+      provide: {
+        groupFullPath: 'flightjs',
+        groupId: 26,
+      },
+      mocks: {
+        $apollo,
+        $route,
+      },
+    });
+  };
+
+  afterEach(() => {
+    wrapper.destroy();
+  });
+
+  describe('in edit mode', () => {
+    it('should render contact form with correct props', () => {
+      mountComponent({ isEditMode: true });
+
+      const contactForm = findContactForm();
+      expect(contactForm.props('fields')).toHaveLength(5);
+      expect(contactForm.props('title')).toBe('Edit contact');
+      expect(contactForm.props('successMessage')).toBe('Contact has been updated.');
+      expect(contactForm.props('mutation')).toBe(updateContactMutation);
+      expect(contactForm.props('getQuery')).toMatchObject({
+        query: getGroupContactsQuery,
+        variables: { groupFullPath: 'flightjs' },
+      });
+      expect(contactForm.props('getQueryNodePath')).toBe('group.contacts');
+      expect(contactForm.props('existingId')).toBe(contacts[0].id);
+      expect(contactForm.props('additionalCreateParams')).toMatchObject({
+        groupId: 'gid://gitlab/Group/26',
+      });
+    });
+  });
+
+  describe('in create mode', () => {
+    it('should render contact form with correct props', () => {
+      mountComponent();
+
+      const contactForm = findContactForm();
+      expect(contactForm.props('fields')).toHaveLength(5);
+      expect(contactForm.props('title')).toBe('New contact');
+      expect(contactForm.props('successMessage')).toBe('Contact has been added.');
+      expect(contactForm.props('mutation')).toBe(createContactMutation);
+      expect(contactForm.props('getQuery')).toMatchObject({
+        query: getGroupContactsQuery,
+        variables: { groupFullPath: 'flightjs' },
+      });
+      expect(contactForm.props('getQueryNodePath')).toBe('group.contacts');
+      expect(contactForm.props('existingId')).toBeNull();
+      expect(contactForm.props('additionalCreateParams')).toMatchObject({
+        groupId: 'gid://gitlab/Group/26',
+      });
+    });
+  });
+});
diff --git a/spec/frontend/crm/contacts_root_spec.js b/spec/frontend/crm/contacts_root_spec.js
index b30349305a3..b02d94e9cb1 100644
--- a/spec/frontend/crm/contacts_root_spec.js
+++ b/spec/frontend/crm/contacts_root_spec.js
@@ -5,11 +5,9 @@ import VueRouter from 'vue-router';
 import { mountExtended, shallowMountExtended } from 'helpers/vue_test_utils_helper';
 import createMockApollo from 'helpers/mock_apollo_helper';
 import waitForPromises from 'helpers/wait_for_promises';
-import ContactsRoot from '~/crm/components/contacts_root.vue';
-import ContactForm from '~/crm/components/contact_form.vue';
-import getGroupContactsQuery from '~/crm/components/queries/get_group_contacts.query.graphql';
-import { NEW_ROUTE_NAME, EDIT_ROUTE_NAME } from '~/crm/constants';
-import routes from '~/crm/routes';
+import ContactsRoot from '~/crm/contacts/components/contacts_root.vue';
+import getGroupContactsQuery from '~/crm/contacts/components/graphql/get_group_contacts.query.graphql';
+import routes from '~/crm/contacts/routes';
 import { getGroupContactsQueryResponse } from './mock_data';
 
 describe('Customer relations contacts root app', () => {
@@ -23,8 +21,6 @@ describe('Customer relations contacts root app', () => {
   const findRowByName = (rowName) => wrapper.findAllByRole('row', { name: rowName });
   const findIssuesLinks = () => wrapper.findAllByTestId('issues-link');
   const findNewContactButton = () => wrapper.findByTestId('new-contact-button');
-  const findEditContactButton = () => wrapper.findByTestId('edit-contact-button');
-  const findContactForm = () => wrapper.findComponent(ContactForm);
   const findError = () => wrapper.findComponent(GlAlert);
   const successQueryHandler = jest.fn().mockResolvedValue(getGroupContactsQueryResponse);
 
@@ -40,8 +36,8 @@ describe('Customer relations contacts root app', () => {
       router,
       provide: {
         groupFullPath: 'flightjs',
-        groupIssuesPath: '/issues',
         groupId: 26,
+        groupIssuesPath: '/issues',
         canAdminCrmContact,
       },
       apolloProvider: fakeApollo,
@@ -82,71 +78,6 @@ describe('Customer relations contacts root app', () => {
     });
   });
 
-  describe('contact form', () => {
-    it('should not exist by default', async () => {
-      mountComponent();
-      await waitForPromises();
-
-      expect(findContactForm().exists()).toBe(false);
-    });
-
-    it('should exist when user clicks new contact button', async () => {
-      mountComponent();
-
-      findNewContactButton().vm.$emit('click');
-      await waitForPromises();
-
-      expect(findContactForm().exists()).toBe(true);
-    });
-
-    it('should exist when user navigates directly to `new` route', async () => {
-      router.replace({ name: NEW_ROUTE_NAME });
-      mountComponent();
-      await waitForPromises();
-
-      expect(findContactForm().exists()).toBe(true);
-    });
-
-    it('should exist when user clicks edit contact button', async () => {
-      mountComponent({ mountFunction: mountExtended });
-      await waitForPromises();
-
-      findEditContactButton().vm.$emit('click');
-      await waitForPromises();
-
-      expect(findContactForm().exists()).toBe(true);
-    });
-
-    it('should exist when user navigates directly to `edit` route', async () => {
-      router.replace({ name: EDIT_ROUTE_NAME, params: { id: 16 } });
-      mountComponent();
-      await waitForPromises();
-
-      expect(findContactForm().exists()).toBe(true);
-    });
-
-    it('should not exist when new form emits close', async () => {
-      router.replace({ name: NEW_ROUTE_NAME });
-      mountComponent();
-
-      findContactForm().vm.$emit('close');
-      await waitForPromises();
-
-      expect(findContactForm().exists()).toBe(false);
-    });
-
-    it('should not exist when edit form emits close', async () => {
-      router.replace({ name: EDIT_ROUTE_NAME, params: { id: 16 } });
-      mountComponent();
-      await waitForPromises();
-
-      findContactForm().vm.$emit('close');
-      await waitForPromises();
-
-      expect(findContactForm().exists()).toBe(false);
-    });
-  });
-
   describe('error', () => {
     it('should exist on reject', async () => {
       mountComponent({ queryHandler: jest.fn().mockRejectedValue('ERROR') });
diff --git a/spec/frontend/crm/form_spec.js b/spec/frontend/crm/form_spec.js
index 0e3abc05c37..5c349b24ea1 100644
--- a/spec/frontend/crm/form_spec.js
+++ b/spec/frontend/crm/form_spec.js
@@ -6,12 +6,12 @@ import { shallowMountExtended } from 'helpers/vue_test_utils_helper';
 import createMockApollo from 'helpers/mock_apollo_helper';
 import waitForPromises from 'helpers/wait_for_promises';
 import Form from '~/crm/components/form.vue';
-import routes from '~/crm/routes';
-import createContactMutation from '~/crm/components/queries/create_contact.mutation.graphql';
-import updateContactMutation from '~/crm/components/queries/update_contact.mutation.graphql';
-import getGroupContactsQuery from '~/crm/components/queries/get_group_contacts.query.graphql';
-import createOrganizationMutation from '~/crm/components/queries/create_organization.mutation.graphql';
-import getGroupOrganizationsQuery from '~/crm/components/queries/get_group_organizations.query.graphql';
+import routes from '~/crm/contacts/routes';
+import createContactMutation from '~/crm/contacts/components/graphql/create_contact.mutation.graphql';
+import updateContactMutation from '~/crm/contacts/components/graphql/update_contact.mutation.graphql';
+import getGroupContactsQuery from '~/crm/contacts/components/graphql/get_group_contacts.query.graphql';
+import createOrganizationMutation from '~/crm/organizations/components/graphql/create_organization.mutation.graphql';
+import getGroupOrganizationsQuery from '~/crm/organizations/components/graphql/get_group_organizations.query.graphql';
 import {
   createContactMutationErrorResponse,
   createContactMutationResponse,
@@ -101,6 +101,11 @@ describe('Reusable form component', () => {
         { name: 'phone', label: 'Phone' },
         { name: 'description', label: 'Description' },
       ],
+      getQuery: {
+        query: getGroupContactsQuery,
+        variables: { groupFullPath: 'flightjs' },
+      },
+      getQueryNodePath: 'group.contacts',
       ...propsData,
     });
   };
@@ -108,13 +113,8 @@ describe('Reusable form component', () => {
   const mountContactCreate = () => {
     const propsData = {
       title: 'New contact',
-      successMessage: 'Contact has been added',
+      successMessage: 'Contact has been added.',
       buttonLabel: 'Create contact',
-      getQuery: {
-        query: getGroupContactsQuery,
-        variables: { groupFullPath: 'flightjs' },
-      },
-      getQueryNodePath: 'group.contacts',
       mutation: createContactMutation,
       additionalCreateParams: { groupId: 'gid://gitlab/Group/26' },
     };
@@ -124,14 +124,9 @@ describe('Reusable form component', () => {
   const mountContactUpdate = () => {
     const propsData = {
       title: 'Edit contact',
-      successMessage: 'Contact has been updated',
+      successMessage: 'Contact has been updated.',
       mutation: updateContactMutation,
-      existingModel: {
-        id: 'gid://gitlab/CustomerRelations::Contact/12',
-        firstName: 'First',
-        lastName: 'Last',
-        email: 'email@example.com',
-      },
+      existingId: 'gid://gitlab/CustomerRelations::Contact/12',
     };
     mountContact({ propsData });
   };
@@ -143,6 +138,11 @@ describe('Reusable form component', () => {
         { name: 'defaultRate', label: 'Default rate', input: { type: 'number', step: '0.01' } },
         { name: 'description', label: 'Description' },
       ],
+      getQuery: {
+        query: getGroupOrganizationsQuery,
+        variables: { groupFullPath: 'flightjs' },
+      },
+      getQueryNodePath: 'group.organizations',
       ...propsData,
     });
   };
@@ -150,13 +150,8 @@ describe('Reusable form component', () => {
   const mountOrganizationCreate = () => {
     const propsData = {
       title: 'New organization',
-      successMessage: 'Organization has been added',
+      successMessage: 'Organization has been added.',
       buttonLabel: 'Create organization',
-      getQuery: {
-        query: getGroupOrganizationsQuery,
-        variables: { groupFullPath: 'flightjs' },
-      },
-      getQueryNodePath: 'group.organizations',
       mutation: createOrganizationMutation,
       additionalCreateParams: { groupId: 'gid://gitlab/Group/26' },
     };
@@ -167,17 +162,17 @@ describe('Reusable form component', () => {
     [FORM_CREATE_CONTACT]: {
       mountFunction: mountContactCreate,
       mutationErrorResponse: createContactMutationErrorResponse,
-      toastMessage: 'Contact has been added',
+      toastMessage: 'Contact has been added.',
     },
     [FORM_UPDATE_CONTACT]: {
       mountFunction: mountContactUpdate,
       mutationErrorResponse: updateContactMutationErrorResponse,
-      toastMessage: 'Contact has been updated',
+      toastMessage: 'Contact has been updated.',
     },
     [FORM_CREATE_ORG]: {
       mountFunction: mountOrganizationCreate,
       mutationErrorResponse: createOrganizationMutationErrorResponse,
-      toastMessage: 'Organization has been added',
+      toastMessage: 'Organization has been added.',
     },
   };
   const asTestParams = (...keys) => keys.map((name) => [name, forms[name]]);
diff --git a/spec/frontend/crm/mock_data.js b/spec/frontend/crm/mock_data.js
index e351e101b29..35bc7fb69b4 100644
--- a/spec/frontend/crm/mock_data.js
+++ b/spec/frontend/crm/mock_data.js
@@ -157,3 +157,28 @@ export const createOrganizationMutationErrorResponse = {
     },
   },
 };
+
+export const updateOrganizationMutationResponse = {
+  data: {
+    customerRelationsOrganizationUpdate: {
+      __typeName: 'CustomerRelationsOrganizationUpdatePayload',
+      organization: {
+        __typename: 'CustomerRelationsOrganization',
+        id: 'gid://gitlab/CustomerRelations::Organization/2',
+        name: 'A',
+        defaultRate: null,
+        description: null,
+      },
+      errors: [],
+    },
+  },
+};
+
+export const updateOrganizationMutationErrorResponse = {
+  data: {
+    customerRelationsOrganizationUpdate: {
+      organization: null,
+      errors: ['Description is invalid.'],
+    },
+  },
+};
diff --git a/spec/frontend/crm/new_organization_form_spec.js b/spec/frontend/crm/new_organization_form_spec.js
deleted file mode 100644
index 0a7909774c9..00000000000
--- a/spec/frontend/crm/new_organization_form_spec.js
+++ /dev/null
@@ -1,109 +0,0 @@
-import { GlAlert } from '@gitlab/ui';
-import Vue from 'vue';
-import VueApollo from 'vue-apollo';
-import { shallowMountExtended } from 'helpers/vue_test_utils_helper';
-import createMockApollo from 'helpers/mock_apollo_helper';
-import waitForPromises from 'helpers/wait_for_promises';
-import NewOrganizationForm from '~/crm/components/new_organization_form.vue';
-import createOrganizationMutation from '~/crm/components/queries/create_organization.mutation.graphql';
-import getGroupOrganizationsQuery from '~/crm/components/queries/get_group_organizations.query.graphql';
-import {
-  createOrganizationMutationErrorResponse,
-  createOrganizationMutationResponse,
-  getGroupOrganizationsQueryResponse,
-} from './mock_data';
-
-describe('Customer relations organizations root app', () => {
-  Vue.use(VueApollo);
-  let wrapper;
-  let fakeApollo;
-  let queryHandler;
-
-  const findCreateNewOrganizationButton = () =>
-    wrapper.findByTestId('create-new-organization-button');
-  const findCancelButton = () => wrapper.findByTestId('cancel-button');
-  const findForm = () => wrapper.find('form');
-  const findError = () => wrapper.findComponent(GlAlert);
-
-  const mountComponent = () => {
-    fakeApollo = createMockApollo([[createOrganizationMutation, queryHandler]]);
-    fakeApollo.clients.defaultClient.cache.writeQuery({
-      query: getGroupOrganizationsQuery,
-      variables: { groupFullPath: 'flightjs' },
-      data: getGroupOrganizationsQueryResponse.data,
-    });
-    wrapper = shallowMountExtended(NewOrganizationForm, {
-      provide: { groupId: 26, groupFullPath: 'flightjs' },
-      apolloProvider: fakeApollo,
-      propsData: { drawerOpen: true },
-    });
-  };
-
-  beforeEach(() => {
-    queryHandler = jest.fn().mockResolvedValue(createOrganizationMutationResponse);
-  });
-
-  afterEach(() => {
-    wrapper.destroy();
-    fakeApollo = null;
-  });
-
-  describe('Create new organization button', () => {
-    it('should be disabled by default', () => {
-      mountComponent();
-
-      expect(findCreateNewOrganizationButton().attributes('disabled')).toBeTruthy();
-    });
-
-    it('should not be disabled when first, last and email have values', async () => {
-      mountComponent();
-
-      wrapper.find('#organization-name').vm.$emit('input', 'A');
-      await waitForPromises();
-
-      expect(findCreateNewOrganizationButton().attributes('disabled')).toBeFalsy();
-    });
-  });
-
-  it("should emit 'close' when cancel button is clicked", () => {
-    mountComponent();
-
-    findCancelButton().vm.$emit('click');
-
-    expect(wrapper.emitted().close).toBeTruthy();
-  });
-
-  describe('when query is successful', () => {
-    it("should emit 'close'", async () => {
-      mountComponent();
-
-      findForm().trigger('submit');
-      await waitForPromises();
-
-      expect(wrapper.emitted().close).toBeTruthy();
-    });
-  });
-
-  describe('when query fails', () => {
-    it('should show error on reject', async () => {
-      queryHandler = jest.fn().mockRejectedValue('ERROR');
-      mountComponent();
-
-      findForm().trigger('submit');
-      await waitForPromises();
-
-      expect(findError().exists()).toBe(true);
-    });
-
-    it('should show error on error response', async () => {
-      queryHandler = jest.fn().mockResolvedValue(createOrganizationMutationErrorResponse);
-      mountComponent();
-
-      findForm().trigger('submit');
-      await waitForPromises();
-
-      expect(findError().exists()).toBe(true);
-      expect(findError().text()).toBe('create organization is invalid.');
-    });
-  });
-});
diff --git a/spec/frontend/crm/organization_form_wrapper_spec.js b/spec/frontend/crm/organization_form_wrapper_spec.js
new file mode 100644
index 00000000000..1a5a7c6ca5d
--- /dev/null
+++ b/spec/frontend/crm/organization_form_wrapper_spec.js
@@ -0,0 +1,88 @@
+import { shallowMountExtended } from 'helpers/vue_test_utils_helper';
+import OrganizationFormWrapper from '~/crm/organizations/components/organization_form_wrapper.vue';
+import OrganizationForm from '~/crm/components/form.vue';
+import getGroupOrganizationsQuery from '~/crm/organizations/components/graphql/get_group_organizations.query.graphql';
+import createOrganizationMutation from '~/crm/organizations/components/graphql/create_organization.mutation.graphql';
+import updateOrganizationMutation from '~/crm/organizations/components/graphql/update_organization.mutation.graphql';
+
+describe('Customer relations organization form wrapper', () => {
+  let wrapper;
+
+  const findOrganizationForm = () => wrapper.findComponent(OrganizationForm);
+
+  const $apollo = {
+    queries: {
+      organizations: {
+        loading: false,
+      },
+    },
+  };
+  const $route = {
+    params: {
+      id: 7,
+    },
+  };
+  const organizations = [{ id: 'gid://gitlab/CustomerRelations::Organization/7' }];
+
+  const mountComponent = ({ isEditMode = false } = {}) => {
+    wrapper = shallowMountExtended(OrganizationFormWrapper, {
+      propsData: {
+        isEditMode,
+      },
+      provide: {
+        groupFullPath: 'flightjs',
+        groupId: 26,
+      },
+      mocks: {
+        $apollo,
+        $route,
+      },
+    });
+  };
+
+  afterEach(() => {
+    wrapper.destroy();
+  });
+
+  describe('in edit mode', () => {
+    it('should render organization form with correct props', () => {
+      mountComponent({ isEditMode: true });
+
+      const organizationForm = findOrganizationForm();
+      expect(organizationForm.props('fields')).toHaveLength(3);
+      expect(organizationForm.props('title')).toBe('Edit organization');
+      expect(organizationForm.props('successMessage')).toBe('Organization has been updated.');
+      expect(organizationForm.props('mutation')).toBe(updateOrganizationMutation);
+      expect(organizationForm.props('getQuery')).toMatchObject({
+        query: getGroupOrganizationsQuery,
+        variables: { groupFullPath: 'flightjs' },
+      });
+      expect(organizationForm.props('getQueryNodePath')).toBe('group.organizations');
+      expect(organizationForm.props('existingId')).toBe(organizations[0].id);
+      expect(organizationForm.props('additionalCreateParams')).toMatchObject({
+        groupId: 'gid://gitlab/Group/26',
+      });
+    });
+  });
+
+  describe('in create mode', () => {
+    it('should render organization form with correct props', () => {
+      mountComponent();
+
+      const organizationForm = findOrganizationForm();
+      expect(organizationForm.props('fields')).toHaveLength(3);
+      expect(organizationForm.props('title')).toBe('New organization');
+      expect(organizationForm.props('successMessage')).toBe('Organization has been added.');
+      expect(organizationForm.props('mutation')).toBe(createOrganizationMutation);
+      expect(organizationForm.props('getQuery')).toMatchObject({
+        query: getGroupOrganizationsQuery,
+        variables: { groupFullPath: 'flightjs' },
+      });
+      expect(organizationForm.props('getQueryNodePath')).toBe('group.organizations');
+      expect(organizationForm.props('existingId')).toBeNull();
+      expect(organizationForm.props('additionalCreateParams')).toMatchObject({
+        groupId: 'gid://gitlab/Group/26',
+      });
+    });
+  });
+});
diff --git a/spec/frontend/crm/organizations_root_spec.js b/spec/frontend/crm/organizations_root_spec.js
index aef417964f4..231208d938e 100644
--- a/spec/frontend/crm/organizations_root_spec.js
+++ b/spec/frontend/crm/organizations_root_spec.js
@@ -5,11 +5,9 @@ import VueRouter from 'vue-router';
 import { mountExtended, shallowMountExtended } from 'helpers/vue_test_utils_helper';
 import createMockApollo from 'helpers/mock_apollo_helper';
 import waitForPromises from 'helpers/wait_for_promises';
-import OrganizationsRoot from '~/crm/components/organizations_root.vue';
-import NewOrganizationForm from '~/crm/components/new_organization_form.vue';
-import { NEW_ROUTE_NAME } from '~/crm/constants';
-import routes from '~/crm/routes';
-import getGroupOrganizationsQuery from '~/crm/components/queries/get_group_organizations.query.graphql';
+import OrganizationsRoot from '~/crm/organizations/components/organizations_root.vue';
+import routes from '~/crm/organizations/routes';
+import getGroupOrganizationsQuery from '~/crm/organizations/components/graphql/get_group_organizations.query.graphql';
 import { getGroupOrganizationsQueryResponse } from './mock_data';
 
 describe('Customer relations organizations root app', () => {
@@ -23,7 +21,6 @@ describe('Customer relations organizations root app', () => {
   const findRowByName = (rowName) => wrapper.findAllByRole('row', { name: rowName });
   const findIssuesLinks = () => wrapper.findAllByTestId('issues-link');
   const findNewOrganizationButton = () => wrapper.findByTestId('new-organization-button');
-  const findNewOrganizationForm = () => wrapper.findComponent(NewOrganizationForm);
   const findError = () => wrapper.findComponent(GlAlert);
   const successQueryHandler = jest.fn().mockResolvedValue(getGroupOrganizationsQueryResponse);
 
@@ -37,7 +34,11 @@ describe('Customer relations organizations root app', () => {
     fakeApollo = createMockApollo([[getGroupOrganizationsQuery, queryHandler]]);
     wrapper = mountFunction(OrganizationsRoot, {
       router,
-      provide: { canAdminCrmOrganization, groupFullPath: 'flightjs', groupIssuesPath: '/issues' },
+      provide: {
+        canAdminCrmOrganization,
+        groupFullPath: 'flightjs',
+        groupIssuesPath: '/issues',
+      },
       apolloProvider: fakeApollo,
     });
   };
@@ -76,42 +77,6 @@ describe('Customer relations organizations root app', () => {
     });
   });
 
-  describe('new organization form', () => {
-    it('should not exist by default', async () => {
-      mountComponent();
-      await waitForPromises();
-
-      expect(findNewOrganizationForm().exists()).toBe(false);
-    });
-
-    it('should exist when user clicks new contact button', async () => {
-      mountComponent();
-
-      findNewOrganizationButton().vm.$emit('click');
-      await waitForPromises();
-
-      expect(findNewOrganizationForm().exists()).toBe(true);
-    });
-
-    it('should exist when user navigates directly to /new', async () => {
-      router.replace({ name: NEW_ROUTE_NAME });
-      mountComponent();
-      await waitForPromises();
-
-      expect(findNewOrganizationForm().exists()).toBe(true);
-    });
-
-    it('should not exist when form emits close', async () => {
-      router.replace({ name: NEW_ROUTE_NAME });
-      mountComponent();
-
-      findNewOrganizationForm().vm.$emit('close');
-      await waitForPromises();
-
-      expect(findNewOrganizationForm().exists()).toBe(false);
-    });
-  });
-
   it('should render error message on reject', async () => {
     mountComponent({ queryHandler: jest.fn().mockRejectedValue('ERROR') });
     await waitForPromises();
diff --git a/spec/frontend/ide/components/ide_side_bar_spec.js b/spec/frontend/ide/components/ide_side_bar_spec.js
index 34f14ef23a4..ace8988b8c9 100644
--- a/spec/frontend/ide/components/ide_side_bar_spec.js
+++ b/spec/frontend/ide/components/ide_side_bar_spec.js
@@ -1,4 +1,4 @@
-import { GlSkeletonLoading } from '@gitlab/ui';
+import { GlDeprecatedSkeletonLoading as GlSkeletonLoading } from '@gitlab/ui';
 import { mount } from '@vue/test-utils';
 import Vue, { nextTick } from 'vue';
 import Vuex from 'vuex';
diff --git a/spec/frontend/lib/utils/text_markdown_spec.js b/spec/frontend/lib/utils/text_markdown_spec.js
index a5877aa6e3e..55c18de0845 100644
--- a/spec/frontend/lib/utils/text_markdown_spec.js
+++ b/spec/frontend/lib/utils/text_markdown_spec.js
@@ -179,11 +179,13 @@ describe('init markdown', () => {
           text                           | expected
           ${'- item'}                    | ${'- item\n- '}
           ${'- [ ] item'}                | ${'- [ ] item\n- [ ] '}
-          ${'- [x] item'}                | ${'- [x] item\n- [x] '}
+          ${'- [x] item'}                | ${'- [x] item\n- [ ] '}
+          ${'- [X] item'}                | ${'- [X] item\n- [ ] '}
           ${'- item\n  - second'}        | ${'- item\n  - second\n  - '}
           ${'1. item'}                   | ${'1. item\n2. '}
           ${'1. [ ] item'}               | ${'1. [ ] item\n2. [ ] '}
-          ${'1. [x] item'}               | ${'1. [x] item\n2. [x] '}
+          ${'1. [x] item'}               | ${'1. [x] item\n2. [ ] '}
+          ${'1. [X] item'}               | ${'1. [X] item\n2. [ ] '}
           ${'108. item'}                 | ${'108. item\n109. '}
           ${'108. item\n     - second'}  | ${'108. item\n     - second\n     - '}
           ${'108. item\n     1. second'} | ${'108. item\n     1. second\n     2. '}
@@ -207,10 +209,12 @@ describe('init markdown', () => {
           ${'- item\n- '}                          | ${'- item\n'}
           ${'- [ ] item\n- [ ] '}                  | ${'- [ ] item\n'}
           ${'- [x] item\n- [x] '}                  | ${'- [x] item\n'}
+          ${'- [X] item\n- [X] '}                  | ${'- [X] item\n'}
           ${'- item\n  - second\n  - '}            | ${'- item\n  - second\n'}
           ${'1. item\n2. '}                        | ${'1. item\n'}
           ${'1. [ ] item\n2. [ ] '}                | ${'1. [ ] item\n'}
           ${'1. [x] item\n2. [x] '}                | ${'1. [x] item\n'}
+          ${'1. [X] item\n2. [X] '}                | ${'1. [X] item\n'}
           ${'108. item\n109. '}                    | ${'108. item\n'}
           ${'108. item\n     - second\n     - '}   | ${'108. item\n     - second\n'}
           ${'108. item\n     1. second\n     1. '} | ${'108. item\n     1. second\n'}
diff --git a/spec/frontend/runner/components/runner_jobs_spec.js b/spec/frontend/runner/components/runner_jobs_spec.js
index 9abb2861005..9e40e911448 100644
--- a/spec/frontend/runner/components/runner_jobs_spec.js
+++ b/spec/frontend/runner/components/runner_jobs_spec.js
@@ -1,4 +1,4 @@
-import { GlSkeletonLoading } from '@gitlab/ui';
+import { GlDeprecatedSkeletonLoading as GlSkeletonLoading } from '@gitlab/ui';
 import Vue from 'vue';
 import VueApollo from 'vue-apollo';
 import { shallowMountExtended } from 'helpers/vue_test_utils_helper';
diff --git a/spec/frontend/runner/components/runner_projects_spec.js b/spec/frontend/runner/components/runner_projects_spec.js
index 96de8d11bca..62ebc6539e2 100644
--- a/spec/frontend/runner/components/runner_projects_spec.js
+++ b/spec/frontend/runner/components/runner_projects_spec.js
@@ -1,4 +1,4 @@
-import { GlSkeletonLoading } from '@gitlab/ui';
+import { GlDeprecatedSkeletonLoading as GlSkeletonLoading } from '@gitlab/ui';
 import Vue from 'vue';
 import VueApollo from 'vue-apollo';
 import { shallowMountExtended } from 'helpers/vue_test_utils_helper';
diff --git a/spec/frontend/vue_shared/issuable/list/components/issuable_list_root_spec.js b/spec/frontend/vue_shared/issuable/list/components/issuable_list_root_spec.js
index 64823cd4c6c..058cb30c1d5 100644
--- a/spec/frontend/vue_shared/issuable/list/components/issuable_list_root_spec.js
+++ b/spec/frontend/vue_shared/issuable/list/components/issuable_list_root_spec.js
@@ -1,4 +1,9 @@
-import { GlAlert, GlKeysetPagination, GlSkeletonLoading, GlPagination } from '@gitlab/ui';
+import {
+  GlAlert,
+  GlKeysetPagination,
+  GlDeprecatedSkeletonLoading as GlSkeletonLoading,
+  GlPagination,
+} from '@gitlab/ui';
 import { shallowMount } from '@vue/test-utils';
 import VueDraggable from 'vuedraggable';
 
diff --git a/spec/graphql/resolvers/project_pipeline_statistics_resolver_spec.rb b/spec/graphql/resolvers/project_pipeline_statistics_resolver_spec.rb
index ccc861baae5..66a5f0277fb 100644
--- a/spec/graphql/resolvers/project_pipeline_statistics_resolver_spec.rb
+++ b/spec/graphql/resolvers/project_pipeline_statistics_resolver_spec.rb
@@ -11,7 +11,7 @@ RSpec.describe Resolvers::ProjectPipelineStatisticsResolver do
 
   let(:current_user) { reporter }
 
-  before_all do
+  before do
     project.add_guest(guest)
     project.add_reporter(reporter)
   end
@@ -20,13 +20,8 @@ RSpec.describe Resolvers::ProjectPipelineStatisticsResolver do
     expect(described_class).to have_nullable_graphql_type(::Types::Ci::AnalyticsType)
   end
 
-  def resolve_statistics(project, args)
-    ctx = { current_user: current_user }
-    resolve(described_class, obj: project, args: args, ctx: ctx)
-  end
-
-  describe '#resolve' do
-    it 'returns the pipelines statistics for a given project' do
+  shared_examples 'returns the pipelines statistics for a given project' do
+    it do
       result = resolve_statistics(project, {})
       expect(result.keys).to contain_exactly(
         :week_pipelines_labels,
@@ -42,14 +37,67 @@ RSpec.describe Resolvers::ProjectPipelineStatisticsResolver do
         :pipeline_times_values
       )
     end
+  end
+
+  shared_examples 'it returns nils' do
+    it do
+      result = resolve_statistics(project, {})
+
+      expect(result).to be_nil
+    end
+  end
+
+  def resolve_statistics(project, args)
+    ctx = { current_user: current_user }
+    resolve(described_class, obj: project, args: args, ctx: ctx)
+  end
+
+  describe '#resolve' do
+    it_behaves_like 'returns the pipelines statistics for a given project'
 
     context 'when the user does not have access to the CI/CD analytics data' do
       let(:current_user) { guest }
 
-      it 'returns nil' do
-        result = resolve_statistics(project, {})
+      it_behaves_like 'it returns nils'
+    end
 
-        expect(result).to be_nil
+    context 'when the project is public' do
+      let_it_be(:project) { create(:project, :public) }
+
+      context 'public pipelines are disabled' do
+        before do
+          project.update!(public_builds: false)
+        end
+
+        context 'user is not a member' do
+          let(:current_user) { create(:user) }
+
+          it_behaves_like 'it returns nils'
+        end
+
+        context 'user is a guest' do
+          let(:current_user) { guest }
+
+          it_behaves_like 'it returns nils'
+        end
+
+        context 'user is a reporter or above' do
+          let(:current_user) { reporter }
+
+          it_behaves_like 'returns the pipelines statistics for a given project'
+        end
+      end
+
+      context 'public pipelines are enabled' do
+        before do
+          project.update!(public_builds: true)
+        end
+
+        context 'user is not a member' do
+          let(:current_user) { create(:user) }
+
+          it_behaves_like 'returns the pipelines statistics for a given project'
+        end
       end
     end
   end
diff --git a/spec/initializers/rdoc_segfault_patch_spec.rb b/spec/initializers/rdoc_segfault_patch_spec.rb
new file mode 100644
index 00000000000..f9630295052
--- /dev/null
+++ b/spec/initializers/rdoc_segfault_patch_spec.rb
@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+RSpec.describe 'RDoc segfault patch fix' do
+  describe 'RDoc::Markup::ToHtml' do
+    describe '#parseable?' do
+      it 'returns false' do
+        to_html = RDoc::Markup::ToHtml.new( nil)
+
+        expect(to_html.parseable?('"def foo; end"')).to eq(false)
+      end
+    end
+  end
+
+  describe 'RDoc::Markup::Verbatim' do
+    describe 'ruby?' do
+      it 'returns false' do
+        verbatim = RDoc::Markup::Verbatim.new('def foo; end')
+        verbatim.format = :ruby
+
+        expect(verbatim.ruby?).to eq(false)
+      end
+    end
+  end
+end
diff --git a/spec/lib/banzai/filter/kroki_filter_spec.rb b/spec/lib/banzai/filter/kroki_filter_spec.rb
index d9e48754559..1fb61ad1991 100644
--- a/spec/lib/banzai/filter/kroki_filter_spec.rb
+++ b/spec/lib/banzai/filter/kroki_filter_spec.rb
@@ -9,7 +9,7 @@ RSpec.describe Banzai::Filter::KrokiFilter do
     stub_application_setting(kroki_enabled: true, kroki_url: "http://localhost:8000")
     doc = filter("<pre lang='nomnoml'><code>[Pirate|eyeCount: Int|raid();pillage()|\n  [beard]--[parrot]\n  [beard]-:>[foul mouth]\n]</code></pre>")
 
-    expect(doc.to_s).to eq '<img src="http://localhost:8000/nomnoml/svg/eNqLDsgsSixJrUmtTHXOL80rsVLwzCupKUrMTNHQtC7IzMlJTE_V0KzhUlCITkpNLEqJ1dWNLkgsKsoviUUSs7KLTssvzVHIzS8tyYjligUAMhEd0g==" data-diagram="nomnoml" data-diagram-src="data:text/plain;base64,W1BpcmF0ZXxleWVDb3VudDogSW50fHJhaWQoKTtwaWxsYWdlKCl8CiAgW2JlYXJkXS0tW3BhcnJvdF0KICBbYmVhcmRdLTo+W2ZvdWwgbW91dGhdCl0=">'
+    expect(doc.to_s).to eq '<img src="http://localhost:8000/nomnoml/svg/eNqLDsgsSixJrUmtTHXOL80rsVLwzCupKUrMTNHQtC7IzMlJTE_V0KzhUlCITkpNLEqJ1dWNLkgsKsoviUUSs7KLTssvzVHIzS8tyYjligUAMhEd0g==" class="js-render-kroki" data-diagram="nomnoml" data-diagram-src="data:text/plain;base64,W1BpcmF0ZXxleWVDb3VudDogSW50fHJhaWQoKTtwaWxsYWdlKCl8CiAgW2JlYXJkXS0tW3BhcnJvdF0KICBbYmVhcmRdLTo+W2ZvdWwgbW91dGhdCl0=">'
   end
 
   it 'replaces nomnoml pre tag with img tag if both kroki and plantuml are enabled' do
@@ -19,7 +19,7 @@ RSpec.describe Banzai::Filter::KrokiFilter do
                              plantuml_url: "http://localhost:8080")
     doc = filter("<pre lang='nomnoml'><code>[Pirate|eyeCount: Int|raid();pillage()|\n  [beard]--[parrot]\n  [beard]-:>[foul mouth]\n]</code></pre>")
 
-    expect(doc.to_s).to eq '<img src="http://localhost:8000/nomnoml/svg/eNqLDsgsSixJrUmtTHXOL80rsVLwzCupKUrMTNHQtC7IzMlJTE_V0KzhUlCITkpNLEqJ1dWNLkgsKsoviUUSs7KLTssvzVHIzS8tyYjligUAMhEd0g==" data-diagram="nomnoml" data-diagram-src="data:text/plain;base64,W1BpcmF0ZXxleWVDb3VudDogSW50fHJhaWQoKTtwaWxsYWdlKCl8CiAgW2JlYXJkXS0tW3BhcnJvdF0KICBbYmVhcmRdLTo+W2ZvdWwgbW91dGhdCl0=">'
+    expect(doc.to_s).to eq '<img src="http://localhost:8000/nomnoml/svg/eNqLDsgsSixJrUmtTHXOL80rsVLwzCupKUrMTNHQtC7IzMlJTE_V0KzhUlCITkpNLEqJ1dWNLkgsKsoviUUSs7KLTssvzVHIzS8tyYjligUAMhEd0g==" class="js-render-kroki" data-diagram="nomnoml" data-diagram-src="data:text/plain;base64,W1BpcmF0ZXxleWVDb3VudDogSW50fHJhaWQoKTtwaWxsYWdlKCl8CiAgW2JlYXJkXS0tW3BhcnJvdF0KICBbYmVhcmRdLTo+W2ZvdWwgbW91dGhdCl0=">'
   end
 
   it 'does not replace nomnoml pre tag with img tag if kroki is disabled' do
@@ -38,4 +38,12 @@ RSpec.describe Banzai::Filter::KrokiFilter do
 
     expect(doc.to_s).to eq '<pre lang="plantuml"><code>Bob-&gt;Alice : hello</code></pre>'
   end
+
+  it 'adds hidden attribute when content size is large' do
+    stub_application_setting(kroki_enabled: true, kroki_url: "http://localhost:8000")
+    text = '[Pirate|eyeCount: Int|raid();pillage()|\n  [beard]--[parrot]\n  [beard]-:>[foul mouth]\n]' * 25
+    doc = filter("<pre lang='nomnoml'><code>#{text}</code></pre>")
+
+    expect(doc.to_s).to start_with '<img src="http://localhost:8000/nomnoml/svg/eNqLDsgsSixJrUmtTHXOL80rsVLwzCupKUrMTNHQtC7IzMlJTE_V0KyJyVNQiE5KTSxKidXVjS5ILCrKL4lFFrSyi07LL81RyM0vLckAysRGjxo8avCowaMGjxo8avCowaMGU8lgAE7mIdc=" hidden="" class="js-render-kroki" data-diagram="nomnoml" data-diagram-src="data:text/plain;base64,W1BpcmF0ZXxleWVDb3VudDog'
+  end
 end
diff --git a/spec/lib/banzai/filter/syntax_highlight_filter_spec.rb b/spec/lib/banzai/filter/syntax_highlight_filter_spec.rb
index aee4bd93207..16c958ec10b 100644
--- a/spec/lib/banzai/filter/syntax_highlight_filter_spec.rb
+++ b/spec/lib/banzai/filter/syntax_highlight_filter_spec.rb
@@ -132,6 +132,12 @@ RSpec.describe Banzai::Filter::SyntaxHighlightFilter do
 
       expect(result.to_html.delete("\n")).to eq('<div class="gl-relative markdown-code-block js-markdown-code"><pre data-sourcepos="1:1-3:3" class="code highlight js-syntax-highlight language-plaintext" lang="plaintext" v-pre="true"><code><span id="LC1" class="line" lang="plaintext">This is a test</span></code></pre><copy-code></copy-code></div>')
     end
+
+    it "escape sourcepos metadata to prevent XSS" do
+      result = filter('<pre data-sourcepos="&#34;%22 href=&#34;x&#34;></pre><base href=http://unsafe-website.com/><pre x=&#34;"><code></code></pre>')
+
+      expect(result.to_html.delete("\n")).to eq('<div class="gl-relative markdown-code-block js-markdown-code"><pre data-sourcepos=\'"%22 href="x"&gt;&lt;/pre&gt;&lt;base href=http://unsafe-website.com/&gt;&lt;pre x="\' class="code highlight js-syntax-highlight language-plaintext" lang="plaintext" v-pre="true"><code></code></pre><copy-code></copy-code></div>')
+    end
   end
 
   context "when Rouge lexing fails" do
diff --git a/spec/lib/banzai/reference_redactor_spec.rb b/spec/lib/banzai/reference_redactor_spec.rb
index 45e14032a98..344b8988296 100644
--- a/spec/lib/banzai/reference_redactor_spec.rb
+++ b/spec/lib/banzai/reference_redactor_spec.rb
@@ -35,7 +35,7 @@ RSpec.describe Banzai::ReferenceRedactor do
       end
 
       context 'when data-original attribute provided' do
-        let(:original_content) { '<code>foo</code>' }
+        let(:original_content) { '&lt;script&gt;alert(1);&lt;/script&gt;' }
 
         it 'replaces redacted reference with original content' do
           doc = Nokogiri::HTML.fragment("<a class='gfm' href='https://www.gitlab.com' data-reference-type='issue' data-original='#{original_content}'>bar</a>")
diff --git a/spec/lib/gitlab/auth_spec.rb b/spec/lib/gitlab/auth_spec.rb
index 706344831b8..f5a74956174 100644
--- a/spec/lib/gitlab/auth_spec.rb
+++ b/spec/lib/gitlab/auth_spec.rb
@@ -87,7 +87,7 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching do
       end
 
       context 'when IP is already banned' do
-        subject { gl_auth.find_for_git_client('username', Gitlab::Password.test_default, project: nil, ip: 'ip') }
+        subject { gl_auth.find_for_git_client('username', 'password', project: nil, ip: 'ip') }
 
         before do
           expect_next_instance_of(Gitlab::Auth::IpRateLimiter) do |rate_limiter|
@@ -219,16 +219,16 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching do
     end
 
     it 'recognizes master passwords' do
-      user = create(:user, password: Gitlab::Password.test_default)
+      user = create(:user, password: 'password')
 
-      expect(gl_auth.find_for_git_client(user.username, Gitlab::Password.test_default, project: nil, ip: 'ip')).to have_attributes(actor: user, project: nil, type: :gitlab_or_ldap, authentication_abilities: described_class.full_authentication_abilities)
+      expect(gl_auth.find_for_git_client(user.username, 'password', project: nil, ip: 'ip')).to have_attributes(actor: user, project: nil, type: :gitlab_or_ldap, authentication_abilities: described_class.full_authentication_abilities)
     end
 
     include_examples 'user login operation with unique ip limit' do
-      let(:user) { create(:user, password: Gitlab::Password.test_default) }
+      let(:user) { create(:user, password: 'password') }
 
       def operation
-        expect(gl_auth.find_for_git_client(user.username, Gitlab::Password.test_default, project: nil, ip: 'ip')).to have_attributes(actor: user, project: nil, type: :gitlab_or_ldap, authentication_abilities: described_class.full_authentication_abilities)
+        expect(gl_auth.find_for_git_client(user.username, 'password', project: nil, ip: 'ip')).to have_attributes(actor: user, project: nil, type: :gitlab_or_ldap, authentication_abilities: described_class.full_authentication_abilities)
       end
     end
 
@@ -492,7 +492,7 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching do
           :user,
           :blocked,
           username: 'normal_user',
-          password: Gitlab::Password.test_default
+          password: 'my-secret'
         )
 
         expect(gl_auth.find_for_git_client(user.username, user.password, project: nil, ip: 'ip'))
@@ -501,7 +501,7 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching do
 
       context 'when 2fa is enabled globally' do
         let_it_be(:user) do
-          create(:user, username: 'normal_user', password: Gitlab::Password.test_default, otp_grace_period_started_at: 1.day.ago)
+          create(:user, username: 'normal_user', password: 'my-secret', otp_grace_period_started_at: 1.day.ago)
         end
 
         before do
@@ -525,7 +525,7 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching do
 
       context 'when 2fa is enabled personally' do
         let(:user) do
-          create(:user, :two_factor, username: 'normal_user', password: Gitlab::Password.test_default, otp_grace_period_started_at: 1.day.ago)
+          create(:user, :two_factor, username: 'normal_user', password: 'my-secret', otp_grace_period_started_at: 1.day.ago)
         end
 
         it 'fails' do
@@ -538,7 +538,7 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching do
         user = create(
           :user,
           username: 'normal_user',
-          password: Gitlab::Password.test_default
+          password: 'my-secret'
         )
 
         expect(gl_auth.find_for_git_client(user.username, user.password, project: nil, ip: 'ip'))
@@ -549,7 +549,7 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching do
         user = create(
           :user,
           username: 'oauth2',
-          password: Gitlab::Password.test_default
+          password: 'my-secret'
         )
 
         expect(gl_auth.find_for_git_client(user.username, user.password, project: nil, ip: 'ip'))
@@ -624,7 +624,7 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching do
 
       context 'when deploy token and user have the same username' do
         let(:username) { 'normal_user' }
-        let(:user) { create(:user, username: username, password: Gitlab::Password.test_default) }
+        let(:user) { create(:user, username: username, password: 'my-secret') }
         let(:deploy_token) { create(:deploy_token, username: username, read_registry: false, projects: [project]) }
 
         it 'succeeds for the token' do
@@ -637,7 +637,7 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching do
         it 'succeeds for the user' do
           auth_success = { actor: user, project: nil, type: :gitlab_or_ldap, authentication_abilities: described_class.full_authentication_abilities }
 
-          expect(gl_auth.find_for_git_client(username, Gitlab::Password.test_default, project: project, ip: 'ip'))
+          expect(gl_auth.find_for_git_client(username, 'my-secret', project: project, ip: 'ip'))
             .to have_attributes(auth_success)
         end
       end
@@ -831,7 +831,7 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching do
     end
 
     let(:username) { 'John' } # username isn't lowercase, test this
-    let(:password) { Gitlab::Password.test_default }
+    let(:password) { 'my-secret' }
 
     it "finds user by valid login/password" do
       expect(gl_auth.find_with_user_password(username, password)).to eql user
@@ -956,13 +956,13 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching do
       it "does not find user by using ldap as fallback to for authentication" do
         expect(Gitlab::Auth::Ldap::Authentication).to receive(:login).and_return(nil)
 
-        expect(gl_auth.find_with_user_password('ldap_user', Gitlab::Password.test_default)).to be_nil
+        expect(gl_auth.find_with_user_password('ldap_user', 'password')).to be_nil
       end
 
       it "find new user by using ldap as fallback to for authentication" do
         expect(Gitlab::Auth::Ldap::Authentication).to receive(:login).and_return(user)
 
-        expect(gl_auth.find_with_user_password('ldap_user', Gitlab::Password.test_default)).to eq(user)
+        expect(gl_auth.find_with_user_password('ldap_user', 'password')).to eq(user)
       end
     end
 
diff --git a/spec/lib/gitlab/ci/config/external/file/artifact_spec.rb b/spec/lib/gitlab/ci/config/external/file/artifact_spec.rb
index 3678b46c8ff..0f1dae27293 100644
--- a/spec/lib/gitlab/ci/config/external/file/artifact_spec.rb
+++ b/spec/lib/gitlab/ci/config/external/file/artifact_spec.rb
@@ -128,6 +128,12 @@ RSpec.describe Gitlab::Ci::Config::External::File::Artifact do
                 let!(:metadata) { create(:ci_job_artifact, :metadata, job: generator_job) }
 
                 context 'when file is empty' do
+                  let(:params) { { artifact: 'secret_stuff/generated.yml', job: 'generator' } }
+                  let(:variables) { Gitlab::Ci::Variables::Collection.new([{ 'key' => 'GITLAB_TOKEN', 'value' => 'secret_stuff', 'masked' => true }]) }
+                  let(:context) do
+                    Gitlab::Ci::Config::External::Context.new(parent_pipeline: parent_pipeline, variables: variables)
+                  end
+
                   before do
                     allow_next_instance_of(Gitlab::Ci::ArtifactFileReader) do |reader|
                       allow(reader).to receive(:read).and_return('')
@@ -135,7 +141,7 @@ RSpec.describe Gitlab::Ci::Config::External::File::Artifact do
                   end
 
                   let(:expected_error) do
-                    'File `generated.yml` is empty!'
+                    'File `xxxxxxxxxxxx/generated.yml` is empty!'
                   end
 
                   it_behaves_like 'is invalid'
diff --git a/spec/lib/gitlab/ci/config/external/file/base_spec.rb b/spec/lib/gitlab/ci/config/external/file/base_spec.rb
index a3a319313c4..71b1a58c82e 100644
--- a/spec/lib/gitlab/ci/config/external/file/base_spec.rb
+++ b/spec/lib/gitlab/ci/config/external/file/base_spec.rb
@@ -3,7 +3,8 @@
 require 'spec_helper'
 
 RSpec.describe Gitlab::Ci::Config::External::File::Base do
-  let(:context_params) { { sha: 'HEAD' } }
+  let(:variables) { }
+  let(:context_params) { { sha: 'HEAD', variables: variables } }
   let(:context) { Gitlab::Ci::Config::External::Context.new(**context_params) }
 
   let(:test_class) do
@@ -81,7 +82,8 @@ RSpec.describe Gitlab::Ci::Config::External::File::Base do
     end
 
     context 'when there are YAML syntax errors' do
-      let(:location) { 'some/file/config.yml' }
+      let(:location) { 'some/file/secret_file_name.yml' }
+      let(:variables) { Gitlab::Ci::Variables::Collection.new([{ 'key' => 'GITLAB_TOKEN', 'value' => 'secret_file_name', 'masked' => true }]) }
 
       before do
         allow_any_instance_of(test_class)
@@ -90,7 +92,7 @@ RSpec.describe Gitlab::Ci::Config::External::File::Base do
 
       it 'is not a valid file' do
         expect(valid?).to be_falsy
-        expect(file.error_message).to match /does not have valid YAML syntax/
+        expect(file.error_message).to eq('Included file `some/file/xxxxxxxxxxxxxxxx.yml` does not have valid YAML syntax!')
       end
     end
   end
diff --git a/spec/lib/gitlab/ci/config/external/file/local_spec.rb b/spec/lib/gitlab/ci/config/external/file/local_spec.rb
index a13e4410207..f4f713ee46c 100644
--- a/spec/lib/gitlab/ci/config/external/file/local_spec.rb
+++ b/spec/lib/gitlab/ci/config/external/file/local_spec.rb
@@ -7,6 +7,7 @@ RSpec.describe Gitlab::Ci::Config::External::File::Local do
   let_it_be(:user) { create(:user) }
 
   let(:sha) { '12345' }
+  let(:variables) { project.predefined_variables.to_runner_variables }
   let(:context) { Gitlab::Ci::Config::External::Context.new(**context_params) }
   let(:params) { { local: location } }
   let(:local_file) { described_class.new(params, context) }
@@ -18,7 +19,7 @@ RSpec.describe Gitlab::Ci::Config::External::File::Local do
       sha: sha,
       user: user,
       parent_pipeline: parent_pipeline,
-      variables: project.predefined_variables.to_runner_variables
+      variables: variables
     }
   end
 
@@ -69,18 +70,29 @@ RSpec.describe Gitlab::Ci::Config::External::File::Local do
       it { is_expected.to be_truthy }
     end
 
-    context 'when is not a valid local path' do
+    context 'when it is not a valid local path' do
       let(:location) { '/lib/gitlab/ci/templates/non-existent-file.yml' }
 
       it { is_expected.to be_falsy }
     end
 
-    context 'when is not a yaml file' do
+    context 'when it is not a yaml file' do
       let(:location) { '/config/application.rb' }
 
       it { is_expected.to be_falsy }
     end
 
+    context 'when it is an empty file' do
+      let(:variables) { Gitlab::Ci::Variables::Collection.new([{ 'key' => 'GITLAB_TOKEN', 'value' => 'secret', 'masked' => true }]) }
+      let(:location) { '/lib/gitlab/ci/templates/secret/existent-file.yml' }
+
+      it 'returns false and adds an error message about an empty file' do
+        allow_any_instance_of(described_class).to receive(:fetch_local_content).and_return("")
+        local_file.validate!
+        expect(local_file.errors).to include("Local file `/lib/gitlab/ci/templates/xxxxxx/existent-file.yml` is empty!")
+      end
+    end
+
     context 'when the given sha is not valid' do
       let(:location) { '/lib/gitlab/ci/templates/existent-file.yml' }
       let(:sha) { ':' }
@@ -125,14 +137,15 @@ RSpec.describe Gitlab::Ci::Config::External::File::Local do
   end
 
   describe '#error_message' do
-    let(:location) { '/lib/gitlab/ci/templates/non-existent-file.yml' }
+    let(:location) { '/lib/gitlab/ci/templates/secret_file.yml' }
+    let(:variables) { Gitlab::Ci::Variables::Collection.new([{ 'key' => 'GITLAB_TOKEN', 'value' => 'secret_file', 'masked' => true }]) }
 
     before do
       local_file.validate!
     end
 
     it 'returns an error message' do
-      expect(local_file.error_message).to eq("Local file `#{location}` does not exist!")
+      expect(local_file.error_message).to eq("Local file `/lib/gitlab/ci/templates/xxxxxxxxxxx.yml` does not exist!")
     end
   end
 
diff --git a/spec/lib/gitlab/ci/config/external/file/project_spec.rb b/spec/lib/gitlab/ci/config/external/file/project_spec.rb
index 96d67b65abe..aa46fa61bf6 100644
--- a/spec/lib/gitlab/ci/config/external/file/project_spec.rb
+++ b/spec/lib/gitlab/ci/config/external/file/project_spec.rb
@@ -11,6 +11,7 @@ RSpec.describe Gitlab::Ci::Config::External::File::Project do
   let(:parent_pipeline) { double(:parent_pipeline) }
   let(:context) { Gitlab::Ci::Config::External::Context.new(**context_params) }
   let(:project_file) { described_class.new(params, context) }
+  let(:variables) { project.predefined_variables.to_runner_variables }
 
   let(:context_params) do
     {
@@ -18,7 +19,7 @@ RSpec.describe Gitlab::Ci::Config::External::File::Project do
       sha: '12345',
       user: context_user,
       parent_pipeline: parent_pipeline,
-      variables: project.predefined_variables.to_runner_variables
+      variables: variables
     }
   end
 
@@ -109,18 +110,19 @@ RSpec.describe Gitlab::Ci::Config::External::File::Project do
 
     context 'when an empty file is used' do
       let(:params) do
-        { project: project.full_path, file: '/file.yml' }
+        { project: project.full_path, file: '/secret_file.yml' }
       end
 
+      let(:variables) { Gitlab::Ci::Variables::Collection.new([{ 'key' => 'GITLAB_TOKEN', 'value' => 'secret_file', 'masked' => true }]) }
       let(:root_ref_sha) { project.repository.root_ref_sha }
 
       before do
-        stub_project_blob(root_ref_sha, '/file.yml') { '' }
+        stub_project_blob(root_ref_sha, '/secret_file.yml') { '' }
       end
 
       it 'returns false' do
         expect(valid?).to be_falsy
-        expect(project_file.error_message).to include("Project `#{project.full_path}` file `/file.yml` is empty!")
+        expect(project_file.error_message).to include("Project `#{project.full_path}` file `/xxxxxxxxxxx.yml` is empty!")
       end
     end
 
@@ -136,13 +138,15 @@ RSpec.describe Gitlab::Ci::Config::External::File::Project do
     end
 
     context 'when non-existing file is requested' do
+      let(:variables) { Gitlab::Ci::Variables::Collection.new([{ 'key' => 'GITLAB_TOKEN', 'value' => 'secret-invalid-file', 'masked' => true }]) }
+
       let(:params) do
-        { project: project.full_path, file: '/invalid-file.yml' }
+        { project: project.full_path, file: '/secret-invalid-file.yml' }
       end
 
       it 'returns false' do
         expect(valid?).to be_falsy
-        expect(project_file.error_message).to include("Project `#{project.full_path}` file `/invalid-file.yml` does not exist!")
+        expect(project_file.error_message).to include("Project `#{project.full_path}` file `/xxxxxxxxxxxxxxxxxxx.yml` does not exist!")
       end
     end
 
diff --git a/spec/lib/gitlab/ci/config/external/file/remote_spec.rb b/spec/lib/gitlab/ci/config/external/file/remote_spec.rb
index 56113532787..5f148f6c411 100644
--- a/spec/lib/gitlab/ci/config/external/file/remote_spec.rb
+++ b/spec/lib/gitlab/ci/config/external/file/remote_spec.rb
@@ -5,11 +5,12 @@ require 'spec_helper'
 RSpec.describe Gitlab::Ci::Config::External::File::Remote do
   include StubRequests
 
-  let(:context_params) { { sha: '12345' } }
+  let(:variables) {Gitlab::Ci::Variables::Collection.new([{ 'key' => 'GITLAB_TOKEN', 'value' => 'secret_file', 'masked' => true }]) }
+  let(:context_params) { { sha: '12345', variables: variables } }
   let(:context) { Gitlab::Ci::Config::External::Context.new(**context_params) }
   let(:params) { { remote: location } }
   let(:remote_file) { described_class.new(params, context) }
-  let(:location) { 'https://gitlab.com/gitlab-org/gitlab-foss/blob/1234/.gitlab-ci-1.yml' }
+  let(:location) { 'https://gitlab.com/gitlab-org/gitlab-foss/blob/1234/.secret_file.yml' }
   let(:remote_file_content) do
     <<~HEREDOC
       before_script:
@@ -142,10 +143,10 @@ RSpec.describe Gitlab::Ci::Config::External::File::Remote do
     end
 
     context 'when remote file location is not valid' do
-      let(:location) { 'not-valid://gitlab.com/gitlab-org/gitlab-foss/blob/1234/.gitlab-ci-1.yml' }
+      let(:location) { 'not-valid://gitlab.com/gitlab-org/gitlab-foss/blob/1234/?secret_file.yml' }
 
       it 'returns an error message describing invalid address' do
-        expect(subject).to match /does not have a valid address!/
+        expect(subject).to eq('Remote file `not-valid://gitlab.com/gitlab-org/gitlab-foss/blob/1234/?xxxxxxxxxxx.yml` does not have a valid address!')
       end
     end
 
@@ -155,7 +156,7 @@ RSpec.describe Gitlab::Ci::Config::External::File::Remote do
       end
 
       it 'returns error message about a timeout' do
-        expect(subject).to match /could not be fetched because of a timeout error!/
+        expect(subject).to eq('Remote file `https://gitlab.com/gitlab-org/gitlab-foss/blob/1234/.xxxxxxxxxxx.yml` could not be fetched because of a timeout error!')
       end
     end
 
@@ -165,7 +166,7 @@ RSpec.describe Gitlab::Ci::Config::External::File::Remote do
       end
 
       it 'returns error message about a HTTP error' do
-        expect(subject).to match /could not be fetched because of HTTP error!/
+        expect(subject).to eq('Remote file `https://gitlab.com/gitlab-org/gitlab-foss/blob/1234/.xxxxxxxxxxx.yml` could not be fetched because of HTTP error!')
       end
     end
 
@@ -175,7 +176,7 @@ RSpec.describe Gitlab::Ci::Config::External::File::Remote do
       end
 
       it 'returns error message about a timeout' do
-        expect(subject).to match /could not be fetched because of HTTP code `404` error!/
+        expect(subject).to eq('Remote file `https://gitlab.com/gitlab-org/gitlab-foss/blob/1234/.xxxxxxxxxxx.yml` could not be fetched because of HTTP code `404` error!')
       end
     end
 
diff --git a/spec/lib/gitlab/ci/config/external/file/template_spec.rb b/spec/lib/gitlab/ci/config/external/file/template_spec.rb
index 2bbaa46a8c4..88740d492e8 100644
--- a/spec/lib/gitlab/ci/config/external/file/template_spec.rb
+++ b/spec/lib/gitlab/ci/config/external/file/template_spec.rb
@@ -57,11 +57,13 @@ RSpec.describe Gitlab::Ci::Config::External::File::Template do
     end
 
     context 'with invalid template name' do
-      let(:template) { 'Template.yml' }
+      let(:template) { 'SecretTemplate.yml' }
+      let(:variables) { Gitlab::Ci::Variables::Collection.new([{ 'key' => 'GITLAB_TOKEN', 'value' => 'SecretTemplate', 'masked' => true }]) }
+      let(:context_params) { { project: project, sha: '12345', user: user, variables: variables } }
 
       it 'returns false' do
         expect(valid?).to be_falsy
-        expect(template_file.error_message).to include('Template file `Template.yml` is not a valid location!')
+        expect(template_file.error_message).to include('`xxxxxxxxxxxxxx.yml` is not a valid location!')
       end
     end
 
diff --git a/spec/lib/gitlab/ci/config/external/mapper_spec.rb b/spec/lib/gitlab/ci/config/external/mapper_spec.rb
index f8754d7e124..f69feba5e59 100644
--- a/spec/lib/gitlab/ci/config/external/mapper_spec.rb
+++ b/spec/lib/gitlab/ci/config/external/mapper_spec.rb
@@ -11,7 +11,8 @@ RSpec.describe Gitlab::Ci::Config::External::Mapper do
   let(:local_file) { '/lib/gitlab/ci/templates/non-existent-file.yml' }
   let(:remote_url) { 'https://gitlab.com/gitlab-org/gitlab-foss/blob/1234/.gitlab-ci-1.yml' }
   let(:template_file) { 'Auto-DevOps.gitlab-ci.yml' }
-  let(:context_params) { { project: project, sha: '123456', user: user, variables: project.predefined_variables } }
+  let(:variables) { project.predefined_variables }
+  let(:context_params) { { project: project, sha: '123456', user: user, variables: variables } }
   let(:context) { Gitlab::Ci::Config::External::Context.new(**context_params) }
 
   let(:file_content) do
@@ -92,13 +93,16 @@ RSpec.describe Gitlab::Ci::Config::External::Mapper do
       end
 
       context 'when the key is a hash of file and remote' do
+        let(:variables) { Gitlab::Ci::Variables::Collection.new([{ 'key' => 'GITLAB_TOKEN', 'value' => 'secret-file', 'masked' => true }]) }
+        let(:local_file) { 'secret-file.yml' }
+        let(:remote_url) { 'https://gitlab.com/secret-file.yml' }
         let(:values) do
           { include: { 'local' => local_file, 'remote' => remote_url },
             image: 'ruby:2.7' }
         end
 
         it 'returns ambigious specification error' do
-          expect { subject }.to raise_error(described_class::AmbigiousSpecificationError)
+          expect { subject }.to raise_error(described_class::AmbigiousSpecificationError, 'Include `{"local":"xxxxxxxxxxx.yml","remote":"https://gitlab.com/xxxxxxxxxxx.yml"}` needs to match exactly one accessor!')
         end
       end
 
diff --git a/spec/lib/gitlab/database/background_migration/batched_migration_wrapper_spec.rb b/spec/lib/gitlab/database/background_migration/batched_migration_wrapper_spec.rb
index d6c984c7adb..ba2a67f77ee 100644
--- a/spec/lib/gitlab/database/background_migration/batched_migration_wrapper_spec.rb
+++ b/spec/lib/gitlab/database/background_migration/batched_migration_wrapper_spec.rb
@@ -3,8 +3,9 @@
 require 'spec_helper'
 
 RSpec.describe Gitlab::Database::BackgroundMigration::BatchedMigrationWrapper, '#perform' do
-  subject { described_class.new.perform(job_record) }
+  subject { described_class.new(metrics: metrics_tracker).perform(job_record) }
 
+  let(:metrics_tracker) { instance_double('::Gitlab::Database::BackgroundMigration::PrometheusMetrics', track: nil) }
   let(:job_class) { Gitlab::BackgroundMigration::CopyColumnUsingBackgroundMigrationJob }
 
   let_it_be(:pause_ms) { 250 }
@@ -78,86 +79,6 @@ RSpec.describe Gitlab::Database::BackgroundMigration::BatchedMigrationWrapper, '
     end
   end
 
-  context 'reporting prometheus metrics' do
-    let(:labels) { job_record.batched_migration.prometheus_labels }
-
-    before do
-      allow(job_instance).to receive(:perform)
-    end
-
-    it 'reports batch_size' do
-      expect(described_class.metrics[:gauge_batch_size]).to receive(:set).with(labels, job_record.batch_size)
-
-      subject
-    end
-
-    it 'reports sub_batch_size' do
-      expect(described_class.metrics[:gauge_sub_batch_size]).to receive(:set).with(labels, job_record.sub_batch_size)
-
-      subject
-    end
-
-    it 'reports interval' do
-      expect(described_class.metrics[:gauge_interval]).to receive(:set).with(labels, job_record.batched_migration.interval)
-
-      subject
-    end
-
-    it 'reports updated tuples (currently based on batch_size)' do
-      expect(described_class.metrics[:counter_updated_tuples]).to receive(:increment).with(labels, job_record.batch_size)
-
-      subject
-    end
-
-    it 'reports migrated tuples' do
-      count = double
-      expect(job_record.batched_migration).to receive(:migrated_tuple_count).and_return(count)
-      expect(described_class.metrics[:gauge_migrated_tuples]).to receive(:set).with(labels, count)
-
-      subject
-    end
-
-    it 'reports summary of query timings' do
-      metrics = { 'timings' => { 'update_all' => [1, 2, 3, 4, 5] } }
-
-      expect(job_instance).to receive(:batch_metrics).and_return(metrics)
-
-      metrics['timings'].each do |key, timings|
-        summary_labels = labels.merge(operation: key)
-        timings.each do |timing|
-          expect(described_class.metrics[:histogram_timings]).to receive(:observe).with(summary_labels, timing)
-        end
-      end
-
-      subject
-    end
-
-    it 'reports job duration' do
-      freeze_time do
-        expect(Time).to receive(:current).and_return(Time.zone.now - 5.seconds).ordered
-        allow(Time).to receive(:current).and_call_original
-
-        expect(described_class.metrics[:gauge_job_duration]).to receive(:set).with(labels, 5.seconds)
-
-        subject
-      end
-    end
-
-    it 'reports the total tuple count for the migration' do
-      expect(described_class.metrics[:gauge_total_tuple_count]).to receive(:set).with(labels, job_record.batched_migration.total_tuple_count)
-
-      subject
-    end
-
-    it 'reports last updated at timestamp' do
-      freeze_time do
-        expect(described_class.metrics[:gauge_last_update_time]).to receive(:set).with(labels, Time.current.to_i)
-
-        subject
-      end
-    end
-  end
-
   context 'when the migration job does not raise an error' do
     it 'marks the tracking record as succeeded' do
       expect(job_instance).to receive(:perform).with(1, 10, 'events', 'id', 1, pause_ms, 'id', 'other_id')
@@ -171,6 +92,13 @@ RSpec.describe Gitlab::Database::BackgroundMigration::BatchedMigrationWrapper, '
         expect(reloaded_job_record.finished_at).to eq(Time.current)
       end
     end
+
+    it 'tracks metrics of the execution' do
+      expect(job_instance).to receive(:perform)
+      expect(metrics_tracker).to receive(:track).with(job_record)
+
+      subject
+    end
   end
 
   context 'when the migration job raises an error' do
@@ -189,6 +117,13 @@ RSpec.describe Gitlab::Database::BackgroundMigration::BatchedMigrationWrapper, '
           expect(reloaded_job_record.finished_at).to eq(Time.current)
         end
       end
+
+      it 'tracks metrics of the execution' do
+        expect(job_instance).to receive(:perform).and_raise(error_class)
+        expect(metrics_tracker).to receive(:track).with(job_record)
+
+        expect { subject }.to raise_error(error_class)
+      end
     end
 
     it_behaves_like 'an error is raised', RuntimeError.new('Something broke!')
diff --git a/spec/lib/gitlab/database/background_migration/prometheus_metrics_spec.rb b/spec/lib/gitlab/database/background_migration/prometheus_metrics_spec.rb
new file mode 100644
index 00000000000..1f256de35ec
--- /dev/null
+++ b/spec/lib/gitlab/database/background_migration/prometheus_metrics_spec.rb
@@ -0,0 +1,118 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Gitlab::Database::BackgroundMigration::PrometheusMetrics, :prometheus do
+  describe '#track' do
+    let(:job_record) do
+      build(:batched_background_migration_job, :succeeded,
+            started_at: Time.current - 2.minutes,
+            finished_at: Time.current - 1.minute,
+            updated_at: Time.current,
+            metrics: { 'timings' => { 'update_all' => [0.05, 0.2, 0.4, 0.9, 4] } })
+    end
+
+    let(:labels) { job_record.batched_migration.prometheus_labels }
+
+    subject(:track_job_record_metrics) { described_class.new.track(job_record) }
+
+    it 'reports batch_size' do
+      track_job_record_metrics
+
+      expect(metric_for_job_by_name(:gauge_batch_size)).to eq(job_record.batch_size)
+    end
+
+    it 'reports sub_batch_size' do
+      track_job_record_metrics
+
+      expect(metric_for_job_by_name(:gauge_sub_batch_size)).to eq(job_record.sub_batch_size)
+    end
+
+    it 'reports interval' do
+      track_job_record_metrics
+
+      expect(metric_for_job_by_name(:gauge_interval)).to eq(job_record.batched_migration.interval)
+    end
+
+    it 'reports job duration' do
+      freeze_time do
+        track_job_record_metrics
+
+        expect(metric_for_job_by_name(:gauge_job_duration)).to eq(1.minute)
+      end
+    end
+
+    it 'increments updated tuples (currently based on batch_size)' do
+      expect(described_class.metrics[:counter_updated_tuples]).to receive(:increment)
+        .with(labels, job_record.batch_size)
+        .twice
+        .and_call_original
+
+      track_job_record_metrics
+
+      expect(metric_for_job_by_name(:counter_updated_tuples)).to eq(job_record.batch_size)
+
+      described_class.new.track(job_record)
+
+      expect(metric_for_job_by_name(:counter_updated_tuples)).to eq(job_record.batch_size * 2)
+    end
+
+    it 'reports migrated tuples' do
+      expect(job_record.batched_migration).to receive(:migrated_tuple_count).and_return(20)
+
+      track_job_record_metrics
+
+      expect(metric_for_job_by_name(:gauge_migrated_tuples)).to eq(20)
+    end
+
+    it 'reports the total tuple count for the migration' do
+      track_job_record_metrics
+
+      expect(metric_for_job_by_name(:gauge_total_tuple_count)).to eq(job_record.batched_migration.total_tuple_count)
+    end
+
+    it 'reports last updated at timestamp' do
+      freeze_time do
+        track_job_record_metrics
+
+        expect(metric_for_job_by_name(:gauge_last_update_time)).to eq(Time.current.to_i)
+      end
+    end
+
+    it 'reports summary of query timings' do
+      summary_labels = labels.merge(operation: 'update_all')
+
+      job_record.metrics['timings']['update_all'].each do |timing|
+        expect(described_class.metrics[:histogram_timings]).to receive(:observe)
+          .with(summary_labels, timing)
+          .and_call_original
+      end
+
+      track_job_record_metrics
+
+      expect(metric_for_job_by_name(:histogram_timings, job_labels: summary_labels))
+        .to eq({ 0.1 => 1.0, 0.25 => 2.0, 0.5 => 3.0, 1 => 4.0, 5 => 5.0 })
+    end
+
+    context 'when the tracking record does not having timing metrics' do
+      before do
+        job_record.metrics = {}
+      end
+
+      it 'does not attempt to report query timings' do
+        summary_labels = labels.merge(operation: 'update_all')
+
+        expect(described_class.metrics[:histogram_timings]).not_to receive(:observe)
+
+        track_job_record_metrics
+
+        expect(metric_for_job_by_name(:histogram_timings, job_labels: summary_labels))
+          .to eq({ 0.1 => 0.0, 0.25 => 0.0, 0.5 => 0.0, 1 => 0.0, 5 => 0.0 })
+      end
+    end
+
+    def metric_for_job_by_name(name, job_labels: labels)
+      described_class.metrics[name].values[job_labels].get
+    end
+  end
+end
diff --git a/spec/lib/gitlab/error_tracking/processor/sanitize_error_message_processor_spec.rb b/spec/lib/gitlab/error_tracking/processor/sanitize_error_message_processor_spec.rb
new file mode 100644
index 00000000000..5ec73233e77
--- /dev/null
+++ b/spec/lib/gitlab/error_tracking/processor/sanitize_error_message_processor_spec.rb
@@ -0,0 +1,53 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Gitlab::ErrorTracking::Processor::SanitizeErrorMessageProcessor, :sentry do
+  describe '.call' do
+    let(:exception) { StandardError.new('raw error') }
+    let(:result_hash) { described_class.call(event).to_hash }
+
+    shared_examples 'processes the exception' do
+      it 'cleans the exception message' do
+        expect(Gitlab::Sanitizers::ExceptionMessage).to receive(:clean).with('StandardError', 'raw error').and_return('cleaned')
+
+        expect(result_hash[:exception][:values].first).to include(
+          type: 'StandardError',
+          value: 'cleaned'
+        )
+      end
+    end
+
+    context 'with Raven event' do
+      let(:raven_required_options) do
+        {
+          configuration: Raven.configuration,
+          context: Raven.context,
+          breadcrumbs: Raven.breadcrumbs
+        }
+      end
+
+      let(:event) { Raven::Event.from_exception(exception, raven_required_options) }
+
+      it_behaves_like 'processes the exception'
+    end
+
+    context 'with Sentry event' do
+      let(:event) { Sentry.get_current_client.event_from_exception(exception) }
+
+      it_behaves_like 'processes the exception'
+    end
+
+    context 'with invalid event' do
+      let(:event) { instance_double('Sentry::Event', to_hash: { invalid: true }) }
+
+      it 'does nothing' do
+        extracted_exception = instance_double('Sentry::SingleExceptionInterface', value: nil)
+        allow(described_class).to receive(:extract_exceptions_from).and_return([extracted_exception])
+
+        expect(Gitlab::Sanitizers::ExceptionMessage).not_to receive(:clean)
+        expect(result_hash).to eq(invalid: true)
+      end
+    end
+  end
+end
diff --git a/spec/lib/gitlab/error_tracking_spec.rb b/spec/lib/gitlab/error_tracking_spec.rb
index 936954fc1b6..1ade3a51c55 100644
--- a/spec/lib/gitlab/error_tracking_spec.rb
+++ b/spec/lib/gitlab/error_tracking_spec.rb
@@ -368,5 +368,61 @@ RSpec.describe Gitlab::ErrorTracking do
         end
       end
     end
+
+    context 'when processing invalid URI exceptions' do
+      let(:invalid_uri) { 'http://foo:bar' }
+      let(:raven_exception_values) { raven_event['exception']['values'] }
+      let(:sentry_exception_values) { sentry_event.exception.to_hash[:values] }
+
+      context 'when the error is a URI::InvalidURIError' do
+        let(:exception) do
+          URI.parse(invalid_uri)
+        rescue URI::InvalidURIError => error
+          error
+        end
+
+        it 'filters the URI from the error message' do
+          track_exception
+
+          expect(raven_exception_values).to include(
+            hash_including(
+              'type' => 'URI::InvalidURIError',
+              'value' => 'bad URI(is not URI?): [FILTERED]'
+            )
+          )
+          expect(sentry_exception_values).to include(
+            hash_including(
+              type: 'URI::InvalidURIError',
+              value: 'bad URI(is not URI?): [FILTERED]'
+            )
+          )
+        end
+      end
+
+      context 'when the error is a Addressable::URI::InvalidURIError' do
+        let(:exception) do
+          Addressable::URI.parse(invalid_uri)
+        rescue Addressable::URI::InvalidURIError => error
+          error
+        end
+
+        it 'filters the URI from the error message' do
+          track_exception
+
+          expect(raven_exception_values).to include(
+            hash_including(
+              'type' => 'Addressable::URI::InvalidURIError',
+              'value' => 'Invalid port number: [FILTERED]'
+            )
+          )
+          expect(sentry_exception_values).to include(
+            hash_including(
+              type: 'Addressable::URI::InvalidURIError',
+              value: 'Invalid port number: [FILTERED]'
+            )
+          )
+        end
+      end
+    end
   end
 end
diff --git a/spec/lib/gitlab/exception_log_formatter_spec.rb b/spec/lib/gitlab/exception_log_formatter_spec.rb
index beeeeb2b64c..7dda56f0bf5 100644
--- a/spec/lib/gitlab/exception_log_formatter_spec.rb
+++ b/spec/lib/gitlab/exception_log_formatter_spec.rb
@@ -22,6 +22,14 @@ RSpec.describe Gitlab::ExceptionLogFormatter do
       expect(payload['exception.sql']).to be_nil
     end
 
+    it 'cleans the exception message' do
+      expect(Gitlab::Sanitizers::ExceptionMessage).to receive(:clean).with('RuntimeError', 'bad request').and_return('cleaned')
+
+      described_class.format!(exception, payload)
+
+      expect(payload['exception.message']).to eq('cleaned')
+    end
+
     context 'when exception is ActiveRecord::StatementInvalid' do
       let(:exception) { ActiveRecord::StatementInvalid.new(sql: 'SELECT "users".* FROM "users" WHERE "users"."id" = 1 AND "users"."foo" = $1') }
 
diff --git a/spec/lib/gitlab/import_export/members_mapper_spec.rb b/spec/lib/gitlab/import_export/members_mapper_spec.rb
index 8d9bff9c610..87ca899a87d 100644
--- a/spec/lib/gitlab/import_export/members_mapper_spec.rb
+++ b/spec/lib/gitlab/import_export/members_mapper_spec.rb
@@ -17,7 +17,7 @@ RSpec.describe Gitlab::ImportExport::MembersMapper do
            "notification_level" => 3,
            "created_at" => "2016-03-11T10:21:44.822Z",
            "updated_at" => "2016-03-11T10:21:44.822Z",
-           "created_by_id" => nil,
+           "created_by_id" => 1,
            "invite_email" => nil,
            "invite_token" => nil,
            "invite_accepted_at" => nil,
@@ -38,10 +38,24 @@ RSpec.describe Gitlab::ImportExport::MembersMapper do
            "notification_level" => 3,
            "created_at" => "2016-03-11T10:21:44.822Z",
            "updated_at" => "2016-03-11T10:21:44.822Z",
-           "created_by_id" => 1,
+           "created_by_id" => 2,
            "invite_email" => 'invite@test.com',
            "invite_token" => 'token',
            "invite_accepted_at" => nil
+         },
+         {
+           "id" => 3,
+           "access_level" => 40,
+           "source_id" => 14,
+           "source_type" => source_type,
+           "user_id" => nil,
+           "notification_level" => 3,
+           "created_at" => "2016-03-11T10:21:44.822Z",
+           "updated_at" => "2016-03-11T10:21:44.822Z",
+           "created_by_id" => nil,
+           "invite_email" => 'invite2@test.com',
+           "invite_token" => 'token',
+           "invite_accepted_at" => nil
          }]
       end
 
@@ -68,12 +82,37 @@ RSpec.describe Gitlab::ImportExport::MembersMapper do
         expect(member_class.find_by_invite_email('invite@test.com')).not_to be_nil
       end
 
-      it 'removes old user_id from member_hash to avoid conflict with user key' do
+      it 'maps created_by_id to user on new instance' do
         expect(member_class)
           .to receive(:create)
-                .twice
-                .with(hash_excluding('user_id'))
-                .and_call_original
+            .once
+            .with(hash_including('user_id' => user2.id, 'created_by_id' => nil))
+            .and_call_original
+        expect(member_class)
+          .to receive(:create)
+            .once
+            .with(hash_including('invite_email' => 'invite@test.com', 'created_by_id' => nil))
+            .and_call_original
+        expect(member_class)
+          .to receive(:create)
+            .once
+            .with(hash_including('invite_email' => 'invite2@test.com', 'created_by_id' => nil))
+            .and_call_original
+
+        members_mapper.map
+      end
+
+      it 'replaced user_id with user_id from new instance' do
+        expect(member_class)
+          .to receive(:create)
+            .once
+            .with(hash_including('user_id' => user2.id))
+            .and_call_original
+        expect(member_class)
+          .to receive(:create)
+            .twice
+            .with(hash_excluding('user_id'))
+            .and_call_original
 
         members_mapper.map
       end
@@ -99,7 +138,7 @@ RSpec.describe Gitlab::ImportExport::MembersMapper do
           end
 
           expect(logger).to receive(:info).with(hash_including(expected_log_params.call(user2.id))).once
-          expect(logger).to receive(:info).with(hash_including(expected_log_params.call(nil))).once
+          expect(logger).to receive(:info).with(hash_including(expected_log_params.call(nil))).twice
 
           members_mapper.map
         end
diff --git a/spec/lib/gitlab/sanitizers/exception_message_spec.rb b/spec/lib/gitlab/sanitizers/exception_message_spec.rb
new file mode 100644
index 00000000000..8b54b353235
--- /dev/null
+++ b/spec/lib/gitlab/sanitizers/exception_message_spec.rb
@@ -0,0 +1,54 @@
+# frozen_string_literal: true
+
+require 'fast_spec_helper'
+require 'rspec-parameterized'
+
+RSpec.describe Gitlab::Sanitizers::ExceptionMessage do
+  describe '.clean' do
+    let(:exception_name) { exception.class.name }
+    let(:exception_message) { exception.message }
+
+    subject { described_class.clean(exception_name, exception_message) }
+
+    context 'when error is a URI::InvalidURIError' do
+      let(:exception) do
+        URI.parse('http://foo:bar')
+      rescue URI::InvalidURIError => error
+        error
+      end
+
+      it { is_expected.to eq('bad URI(is not URI?): [FILTERED]') }
+    end
+
+    context 'when error is an Addressable::URI::InvalidURIError' do
+      using RSpec::Parameterized::TableSyntax
+
+      let(:exception) do
+        Addressable::URI.parse(uri)
+      rescue Addressable::URI::InvalidURIError => error
+        error
+      end
+
+      where(:uri, :result) do
+        'http://foo:bar' | 'Invalid port number: [FILTERED]'
+        'http://foo:%eb' | 'Invalid encoding in port'
+        'ht%0atp://foo'  | 'Invalid scheme format: [FILTERED]'
+        'http:'          | 'Absolute URI missing hierarchical segment: [FILTERED]'
+        '::http'         | 'Cannot assemble URI string with ambiguous path: [FILTERED]'
+        'http://foo bar' | 'Invalid character in host: [FILTERED]'
+      end
+
+      with_them do
+        it { is_expected.to eq(result) }
+      end
+    end
+
+    context 'with any other exception' do
+      let(:exception) { StandardError.new('Error message: http://foo@bar:baz@ex:ample.com') }
+
+      it 'is not invoked and does nothing' do
+        is_expected.to eq('Error message: http://foo@bar:baz@ex:ample.com')
+      end
+    end
+  end
+end
diff --git a/spec/mailers/emails/profile_spec.rb b/spec/mailers/emails/profile_spec.rb
index 88efdbd77be..f4483f7e8f5 100644
--- a/spec/mailers/emails/profile_spec.rb
+++ b/spec/mailers/emails/profile_spec.rb
@@ -49,7 +49,7 @@ RSpec.describe Emails::Profile do
 
   describe 'for users that signed up, the email' do
     let(:example_site_path) { root_path }
-    let(:new_user) { create(:user, email: new_user_address, password: Gitlab::Password.test_default) }
+    let(:new_user) { create(:user, email: new_user_address, password: "securePassword") }
 
     subject { Notify.new_user_email(new_user.id) }
 
diff --git a/spec/models/ci/pipeline_spec.rb b/spec/models/ci/pipeline_spec.rb
index b3e811de0c2..c6a27b4b687 100644
--- a/spec/models/ci/pipeline_spec.rb
+++ b/spec/models/ci/pipeline_spec.rb
@@ -1146,6 +1146,28 @@ RSpec.describe Ci::Pipeline, :mailer, factory_default: :keep do
         end
       end
     end
+
+    describe 'variable CI_GITLAB_FIPS_MODE' do
+      context 'when FIPS flag is enabled' do
+        before do
+          allow(Gitlab::FIPS).to receive(:enabled?).and_return(true)
+        end
+
+        it "is included with value 'true'" do
+          expect(subject.to_hash).to include('CI_GITLAB_FIPS_MODE' => 'true')
+        end
+      end
+
+      context 'when FIPS flag is disabled' do
+        before do
+          allow(Gitlab::FIPS).to receive(:enabled?).and_return(false)
+        end
+
+        it 'is not included' do
+          expect(subject.to_hash).not_to have_key('CI_GITLAB_FIPS_MODE')
+        end
+      end
+    end
   end
 
   describe '#protected_ref?' do
diff --git a/spec/models/ci/runner_spec.rb b/spec/models/ci/runner_spec.rb
index 0620bb1ffc5..42187c3ef99 100644
--- a/spec/models/ci/runner_spec.rb
+++ b/spec/models/ci/runner_spec.rb
@@ -41,15 +41,25 @@ RSpec.describe Ci::Runner do
 
     context 'when runner is not allowed to pick untagged jobs' do
       context 'when runner does not have tags' do
+        let(:runner) { build(:ci_runner, tag_list: [], run_untagged: false) }
+
+        it 'is not valid' do
+          expect(runner).to be_invalid
+        end
+      end
+
+      context 'when runner has too many tags' do
+        let(:runner) { build(:ci_runner, tag_list: (1..::Ci::Runner::TAG_LIST_MAX_LENGTH + 1).map { |i| "tag#{i}" }, run_untagged: false) }
+
         it 'is not valid' do
-          runner = build(:ci_runner, tag_list: [], run_untagged: false)
           expect(runner).to be_invalid
         end
       end
 
       context 'when runner has tags' do
+        let(:runner) { build(:ci_runner, tag_list: ['tag'], run_untagged: false) }
+
         it 'is valid' do
-          runner = build(:ci_runner, tag_list: ['tag'], run_untagged: false)
           expect(runner).to be_valid
         end
       end
diff --git a/spec/models/hooks/system_hook_spec.rb b/spec/models/hooks/system_hook_spec.rb
index a3d36058b74..bf69c7219a8 100644
--- a/spec/models/hooks/system_hook_spec.rb
+++ b/spec/models/hooks/system_hook_spec.rb
@@ -37,7 +37,7 @@ RSpec.describe SystemHook do
     let(:project)     { create(:project, namespace: user.namespace) }
     let(:group)       { create(:group) }
     let(:params) do
-      { name: 'John Doe', username: 'jduser', email: 'jg@example.com', password: Gitlab::Password.test_default }
+      { name: 'John Doe', username: 'jduser', email: 'jg@example.com', password: 'mydummypass' }
     end
 
     before do
diff --git a/spec/models/integrations/asana_spec.rb b/spec/models/integrations/asana_spec.rb
index b6602964182..43e876a4f47 100644
--- a/spec/models/integrations/asana_spec.rb
+++ b/spec/models/integrations/asana_spec.rb
@@ -20,11 +20,13 @@ RSpec.describe Integrations::Asana do
     let(:gid) { "123456789ABCD" }
     let(:asana_task) { double(::Asana::Resources::Task) }
     let(:asana_integration) { described_class.new }
+    let(:ref) { 'main' }
+    let(:restrict_to_branch) { nil }
 
     let(:data) do
       {
         object_kind: 'push',
-        ref: 'master',
+        ref: ref,
         user_name: user.name,
         commits: [
           {
@@ -40,16 +42,44 @@ RSpec.describe Integrations::Asana do
         project: project,
         project_id: project.id,
         api_key: 'verySecret',
-        restrict_to_branch: 'master'
+        restrict_to_branch: restrict_to_branch
       )
     end
 
     subject(:execute_integration) { asana_integration.execute(data) }
 
+    context 'with restrict_to_branch' do
+      let(:restrict_to_branch) { 'feature-branch, main' }
+      let(:message) { 'fix #456789' }
+
+      context 'when ref is in scope of restriced branches' do
+        let(:ref) { 'main' }
+
+        it 'calls the Asana integration' do
+          expect(asana_task).to receive(:add_comment)
+          expect(asana_task).to receive(:update).with(completed: true)
+          expect(::Asana::Resources::Task).to receive(:find_by_id).with(anything, '456789').once.and_return(asana_task)
+
+          execute_integration
+        end
+      end
+
+      context 'when ref is not in scope of restricted branches' do
+        let(:ref) { 'mai' }
+
+        it 'does not call the Asana integration' do
+          expect(asana_task).not_to receive(:add_comment)
+          expect(::Asana::Resources::Task).not_to receive(:find_by_id)
+
+          execute_integration
+        end
+      end
+    end
+
     context 'when creating a story' do
       let(:message) { "Message from commit. related to ##{gid}" }
       let(:expected_message) do
-        "#{user.name} pushed to branch master of #{project.full_name} ( https://gitlab.com/ ): #{message}"
+        "#{user.name} pushed to branch main of #{project.full_name} ( https://gitlab.com/ ): #{message}"
       end
 
       it 'calls Asana integration to create a story' do
diff --git a/spec/models/releases/link_spec.rb b/spec/models/releases/link_spec.rb
index 4dc1e53d59e..74ef38f482b 100644
--- a/spec/models/releases/link_spec.rb
+++ b/spec/models/releases/link_spec.rb
@@ -113,6 +113,17 @@ RSpec.describe Releases::Link do
     end
   end
 
+  describe 'when filepath is greater than max length' do
+    let!(:invalid_link) { build(:release_link, filepath: 'x' * (Releases::Link::FILEPATH_MAX_LENGTH + 1), release: release) }
+
+    it 'will not execute regex' do
+      invalid_link.filepath_format_valid?
+
+      expect(invalid_link.errors[:filepath].size).to eq(1)
+      expect(invalid_link.errors[:filepath].first).to start_with("is too long")
+    end
+  end
+
   describe 'FILEPATH_REGEX with table' do
     using RSpec::Parameterized::TableSyntax
 
diff --git a/spec/models/ssh_host_key_spec.rb b/spec/models/ssh_host_key_spec.rb
index 4d729d5585f..4b756846598 100644
--- a/spec/models/ssh_host_key_spec.rb
+++ b/spec/models/ssh_host_key_spec.rb
@@ -4,7 +4,9 @@ require 'spec_helper'
 
 RSpec.describe SshHostKey do
   using RSpec::Parameterized::TableSyntax
+
   include ReactiveCachingHelpers
+  include StubRequests
 
   let(:key1) do
     'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC3UpyF2iLqy1d63M6k3jH1vuEnq/NWtE+o' \
@@ -35,6 +37,7 @@ RSpec.describe SshHostKey do
   let(:extra) { known_hosts + "foo\nbar\n" }
   let(:reversed) { known_hosts.lines.reverse.join }
 
+  let(:url) { 'ssh://example.com:2222' }
   let(:compare_host_keys) { nil }
 
   def stub_ssh_keyscan(args, status: true, stdout: "", stderr: "")
@@ -50,7 +53,7 @@ RSpec.describe SshHostKey do
 
   let(:project) { build(:project) }
 
-  subject(:ssh_host_key) { described_class.new(project: project, url: 'ssh://example.com:2222', compare_host_keys: compare_host_keys) }
+  subject(:ssh_host_key) { described_class.new(project: project, url: url, compare_host_keys: compare_host_keys) }
 
   describe '.primary_key' do
     it 'returns a symbol' do
@@ -191,5 +194,45 @@ RSpec.describe SshHostKey do
         is_expected.to eq(error: 'Failed to detect SSH host keys')
       end
     end
+
+    context 'DNS rebinding protection enabled' do
+      before do
+        stub_application_setting(dns_rebinding_protection_enabled: true)
+      end
+
+      it 'sends an address as well as hostname to ssh-keyscan' do
+        stub_dns(url, ip_address: '1.2.3.4')
+
+        stdin = stub_ssh_keyscan(%w[-T 5 -p 2222 -f-])
+
+        cache
+
+        expect(stdin.string).to eq("1.2.3.4 example.com\n")
+      end
+    end
+  end
+
+  describe 'URL validation' do
+    let(:url) { 'ssh://127.0.0.1' }
+
+    context 'when local requests are not allowed' do
+      before do
+        stub_application_setting(allow_local_requests_from_web_hooks_and_services: false)
+      end
+
+      it 'forbids scanning localhost' do
+        expect { ssh_host_key }.to raise_error(/Invalid URL/)
+      end
+    end
+
+    context 'when local requests are allowed' do
+      before do
+        stub_application_setting(allow_local_requests_from_web_hooks_and_services: true)
+      end
+
+      it 'permits scanning localhost' do
+        expect(ssh_host_key.url.to_s).to eq('ssh://127.0.0.1:22')
+      end
+    end
   end
 end
diff --git a/spec/models/user_spec.rb b/spec/models/user_spec.rb
index e9657de6ed1..1a1b92d3a9c 100644
--- a/spec/models/user_spec.rb
+++ b/spec/models/user_spec.rb
@@ -1757,9 +1757,9 @@ RSpec.describe User do
 
   describe '#generate_password' do
     it 'does not generate password by default' do
-      user = create(:user, password: Gitlab::Password.test_default)
+      user = create(:user, password: 'abcdefghe')
 
-      expect(user.password).to eq(Gitlab::Password.test_default)
+      expect(user.password).to eq('abcdefghe')
     end
   end
 
@@ -5723,6 +5723,36 @@ RSpec.describe User do
     end
   end
 
+  describe '#valid_password?' do
+    subject { user.valid_password?(password) }
+
+    context 'user with password not in disallowed list' do
+      let(:user) { create(:user) }
+      let(:password) { user.password }
+
+      it { is_expected.to be_truthy }
+
+      context 'using a wrong password' do
+        let(:password) { 'WRONG PASSWORD' }
+
+        it { is_expected.to be_falsey }
+      end
+    end
+
+    context 'user with disallowed password' do
+      let(:user) { create(:user, :disallowed_password) }
+      let(:password) { user.password }
+
+      it { is_expected.to be_falsey }
+
+      context 'using a wrong password' do
+        let(:password) { 'WRONG PASSWORD' }
+
+        it { is_expected.to be_falsey }
+      end
+    end
+  end
+
   describe '#password_expired?' do
     let(:user) { build(:user, password_expires_at: password_expires_at) }
 
diff --git a/spec/policies/project_policy_spec.rb b/spec/policies/project_policy_spec.rb
index 310454c227f..bde83d647db 100644
--- a/spec/policies/project_policy_spec.rb
+++ b/spec/policies/project_policy_spec.rb
@@ -81,25 +81,62 @@ RSpec.describe ProjectPolicy do
 
   context 'merge requests feature' do
     let(:current_user) { owner }
+    let(:mr_permissions) do
+      [:create_merge_request_from, :read_merge_request, :update_merge_request,
+       :admin_merge_request, :create_merge_request_in]
+    end
 
     it 'disallows all permissions when the feature is disabled' do
       project.project_feature.update!(merge_requests_access_level: ProjectFeature::DISABLED)
 
-      mr_permissions = [:create_merge_request_from, :read_merge_request,
-                        :update_merge_request, :admin_merge_request,
-                        :create_merge_request_in]
-
       expect_disallowed(*mr_permissions)
     end
+
+    context 'for a guest in a private project' do
+      let(:current_user) { guest }
+      let(:project) { private_project }
+
+      it 'disallows the guest from all merge request permissions' do
+        expect_disallowed(*mr_permissions)
+      end
+    end
   end
 
-  context 'for a guest in a private project' do
-    let(:current_user) { guest }
-    let(:project) { private_project }
+  context 'creating_merge_request_in' do
+    context 'when project is public' do
+      let(:project) { public_project }
 
-    it 'disallows the guest from reading the merge request and merge request iid' do
-      expect_disallowed(:read_merge_request)
-      expect_disallowed(:read_merge_request_iid)
+      context 'when the current_user is guest' do
+        let(:current_user) { guest }
+
+        it { is_expected.to be_allowed(:create_merge_request_in) }
+      end
+    end
+
+    context 'when project is internal' do
+      let(:project) { internal_project }
+
+      context 'when the current_user is guest' do
+        let(:current_user) { guest }
+
+        it { is_expected.to be_allowed(:create_merge_request_in) }
+      end
+    end
+
+    context 'when project is private' do
+      let(:project) { private_project }
+
+      context 'when the current_user is guest' do
+        let(:current_user) { guest }
+
+        it { is_expected.not_to be_allowed(:create_merge_request_in) }
+      end
+
+      context 'when the current_user is reporter or above' do
+        let(:current_user) { reporter }
+
+        it { is_expected.to be_allowed(:create_merge_request_in) }
+      end
     end
   end
 
@@ -1346,6 +1383,110 @@ RSpec.describe ProjectPolicy do
     end
   end
 
+  describe 'read_ci_cd_analytics' do
+    context 'public project' do
+      let(:project) { create(:project, :public, :analytics_enabled) }
+      let(:current_user) { create(:user) }
+
+      context 'when public pipelines are disabled for the project' do
+        before do
+          project.update!(public_builds: false)
+        end
+
+        context 'project member' do
+          %w(guest reporter developer maintainer).each do |role|
+            context role do
+              before do
+                project.add_user(current_user, role.to_sym)
+              end
+
+              if role == 'guest'
+                it { is_expected.to be_disallowed(:read_ci_cd_analytics) }
+              else
+                it { is_expected.to be_allowed(:read_ci_cd_analytics) }
+              end
+            end
+          end
+        end
+
+        context 'non member' do
+          let(:current_user) { non_member }
+
+          it { is_expected.to be_disallowed(:read_ci_cd_analytics) }
+        end
+
+        context 'anonymous' do
+          let(:current_user) { anonymous }
+
+          it { is_expected.to be_disallowed(:read_ci_cd_analytics) }
+        end
+      end
+
+      context 'when public pipelines are enabled for the project' do
+        before do
+          project.update!(public_builds: true)
+        end
+
+        context 'project member' do
+          %w(guest reporter developer maintainer).each do |role|
+            context role do
+              before do
+                project.add_user(current_user, role.to_sym)
+              end
+
+              it { is_expected.to be_allowed(:read_ci_cd_analytics) }
+            end
+          end
+        end
+
+        context 'non member' do
+          let(:current_user) { non_member }
+
+          it { is_expected.to be_allowed(:read_ci_cd_analytics) }
+        end
+
+        context 'anonymous' do
+          let(:current_user) { anonymous }
+
+          it { is_expected.to be_allowed(:read_ci_cd_analytics) }
+        end
+      end
+    end
+
+    context 'private project' do
+      let(:project) { create(:project, :private, :analytics_enabled) }
+      let(:current_user) { create(:user) }
+
+      context 'project member' do
+        %w(guest reporter developer maintainer).each do |role|
+          context role do
+            before do
+              project.add_user(current_user, role.to_sym)
+            end
+
+            if role == 'guest'
+              it { is_expected.to be_disallowed(:read_ci_cd_analytics) }
+            else
+              it { is_expected.to be_allowed(:read_ci_cd_analytics) }
+            end
+          end
+        end
+      end
+
+      context 'non member' do
+        let(:current_user) { non_member }
+
+        it { is_expected.to be_disallowed(:read_ci_cd_analytics) }
+      end
+
+      context 'anonymous' do
+        let(:current_user) { anonymous }
+
+        it { is_expected.to be_disallowed(:read_ci_cd_analytics) }
+      end
+    end
+  end
+
   it_behaves_like 'Self-managed Core resource access tokens'
 
   describe 'operations feature' do
diff --git a/spec/requests/api/ci/runner/runners_post_spec.rb b/spec/requests/api/ci/runner/runners_post_spec.rb
index 1d553751eea..50ace7adccb 100644
--- a/spec/requests/api/ci/runner/runners_post_spec.rb
+++ b/spec/requests/api/ci/runner/runners_post_spec.rb
@@ -130,7 +130,7 @@ RSpec.describe API::Ci::Runner, :clean_gitlab_redis_shared_state do
           }
         end
 
-        let_it_be(:new_runner) { create(:ci_runner) }
+        let_it_be(:new_runner) { build(:ci_runner) }
 
         it 'uses active value in registration' do
           expect_next_instance_of(::Ci::Runners::RegisterRunnerService) do |service|
@@ -183,6 +183,54 @@ RSpec.describe API::Ci::Runner, :clean_gitlab_redis_shared_state do
           expect(response).to have_gitlab_http_status(:created)
           expect(::Ci::Runner.last.ip_address).to eq('123.111.123.111')
         end
+
+        context 'when tags parameter is provided' do
+          def request
+            post api('/runners'), params: {
+              token: registration_token,
+              tag_list: tag_list
+            }
+          end
+
+          context 'with number of tags above limit' do
+            let(:tag_list) { (1..::Ci::Runner::TAG_LIST_MAX_LENGTH + 1).map { |i| "tag#{i}" } }
+
+            it 'uses tag_list value in registration and returns error' do
+              expect_next_instance_of(::Ci::Runners::RegisterRunnerService) do |service|
+                expected_params = { tag_list: tag_list }.stringify_keys
+
+                expect(service).to receive(:execute)
+                  .once
+                  .with(registration_token, a_hash_including(expected_params))
+                  .and_call_original
+              end
+
+              request
+
+              expect(response).to have_gitlab_http_status(:bad_request)
+              expect(json_response.dig('message', 'tags_list')).to contain_exactly("Too many tags specified. Please limit the number of tags to #{::Ci::Runner::TAG_LIST_MAX_LENGTH}")
+            end
+          end
+
+          context 'with number of tags below limit' do
+            let(:tag_list) { (1..20).map { |i| "tag#{i}" } }
+
+            it 'uses tag_list value in registration and successfully creates runner' do
+              expect_next_instance_of(::Ci::Runners::RegisterRunnerService) do |service|
+                expected_params = { tag_list: tag_list }.stringify_keys
+
+                expect(service).to receive(:execute)
+                  .once
+                  .with(registration_token, a_hash_including(expected_params))
+                  .and_call_original
+              end
+
+              request
+
+              expect(response).to have_gitlab_http_status(:created)
+            end
+          end
+        end
       end
     end
   end
diff --git a/spec/requests/api/ci/runners_spec.rb b/spec/requests/api/ci/runners_spec.rb
index a1fda68b77b..d6ebc197ab0 100644
--- a/spec/requests/api/ci/runners_spec.rb
+++ b/spec/requests/api/ci/runners_spec.rb
@@ -396,6 +396,19 @@ RSpec.describe API::Ci::Runners do
           expect(shared_runner.reload.tag_list).to include('ruby2.1', 'pgsql', 'mysql')
         end
 
+        it 'unrelated runner attribute on an existing runner with too many tags' do
+          # This test ensures that it is possible to update any attribute on a runner that currently fails the
+          # validation that ensures that there aren't too many tags associated with a runner
+          existing_invalid_shared_runner = build(:ci_runner, :instance, tag_list: (1..::Ci::Runner::TAG_LIST_MAX_LENGTH + 1).map { |i| "tag#{i}" } )
+          existing_invalid_shared_runner.save!(validate: false)
+
+          active = existing_invalid_shared_runner.active
+          update_runner(existing_invalid_shared_runner.id, admin, paused: active)
+
+          expect(response).to have_gitlab_http_status(:ok)
+          expect(existing_invalid_shared_runner.reload.active).to eq(!active)
+        end
+
         it 'runner untagged flag' do
           # Ensure tag list is non-empty before setting untagged to false.
           update_runner(shared_runner.id, admin, tag_list: ['ruby2.1', 'pgsql', 'mysql'])
diff --git a/spec/requests/api/users_spec.rb b/spec/requests/api/users_spec.rb
index adbbd173189..518b0fd23c2 100644
--- a/spec/requests/api/users_spec.rb
+++ b/spec/requests/api/users_spec.rb
@@ -1073,7 +1073,7 @@ RSpec.describe API::Users do
       post api('/users', admin),
         params: {
           email: 'invalid email',
-          password: Gitlab::Password.test_default,
+          password: 'password',
           name: 'test'
         }
       expect(response).to have_gitlab_http_status(:bad_request)
@@ -1139,7 +1139,7 @@ RSpec.describe API::Users do
         post api('/users', admin),
           params: {
             email: 'test@example.com',
-            password: Gitlab::Password.test_default,
+            password: 'password',
             username: 'test',
             name: 'foo'
           }
@@ -1151,7 +1151,7 @@ RSpec.describe API::Users do
             params: {
               name: 'foo',
               email: 'test@example.com',
-              password: Gitlab::Password.test_default,
+              password: 'password',
               username: 'foo'
             }
         end.to change { User.count }.by(0)
@@ -1165,7 +1165,7 @@ RSpec.describe API::Users do
             params: {
               name: 'foo',
               email: 'foo@example.com',
-              password: Gitlab::Password.test_default,
+              password: 'password',
               username: 'test'
             }
         end.to change { User.count }.by(0)
@@ -1179,7 +1179,7 @@ RSpec.describe API::Users do
             params: {
               name: 'foo',
               email: 'foo@example.com',
-              password: Gitlab::Password.test_default,
+              password: 'password',
               username: 'TEST'
             }
         end.to change { User.count }.by(0)
@@ -1524,8 +1524,8 @@ RSpec.describe API::Users do
 
     context "with existing user" do
       before do
-        post api("/users", admin), params: { email: 'test@example.com', password: Gitlab::Password.test_default, username: 'test', name: 'test' }
-        post api("/users", admin), params: { email: 'foo@bar.com', password: Gitlab::Password.test_default, username: 'john', name: 'john' }
+        post api("/users", admin), params: { email: 'test@example.com', password: 'password', username: 'test', name: 'test' }
+        post api("/users", admin), params: { email: 'foo@bar.com', password: 'password', username: 'john', name: 'john' }
         @user = User.all.last
       end
 
diff --git a/spec/requests/git_http_spec.rb b/spec/requests/git_http_spec.rb
index 9f9e1cfd90e..38c8d43376e 100644
--- a/spec/requests/git_http_spec.rb
+++ b/spec/requests/git_http_spec.rb
@@ -319,7 +319,7 @@ RSpec.describe 'Git HTTP requests' do
             context 'when user is using credentials with special characters' do
               context 'with password with special characters' do
                 before do
-                  user.update!(password: Gitlab::Password.test_default)
+                  user.update!(password: 'RKszEwéC5kFnû∆f243fycGu§Gh9ftDj!U')
                 end
 
                 it 'allows clones' do
@@ -1716,7 +1716,7 @@ RSpec.describe 'Git HTTP requests' do
             context 'when user is using credentials with special characters' do
               context 'with password with special characters' do
                 before do
-                  user.update!(password: Gitlab::Password.test_default)
+                  user.update!(password: 'RKszEwéC5kFnû∆f243fycGu§Gh9ftDj!U')
                 end
 
                 it 'allows clones' do
diff --git a/spec/requests/groups/crm/contacts_controller_spec.rb b/spec/requests/groups/crm/contacts_controller_spec.rb
index 4d8ca0fcd60..0ee72233418 100644
--- a/spec/requests/groups/crm/contacts_controller_spec.rb
+++ b/spec/requests/groups/crm/contacts_controller_spec.rb
@@ -85,28 +85,19 @@ RSpec.describe Groups::Crm::ContactsController do
   end
 
   describe 'GET #index' do
-    subject do
-      get group_crm_contacts_path(group)
-      response
-    end
+    subject { get group_crm_contacts_path(group) }
 
     it_behaves_like 'ok response with index template if authorized'
   end
 
   describe 'GET #new' do
-    subject do
-      get new_group_crm_contact_path(group)
-      response
-    end
+    subject { get new_group_crm_contact_path(group) }
 
     it_behaves_like 'ok response with index template if authorized'
   end
 
   describe 'GET #edit' do
-    subject do
-      get edit_group_crm_contact_path(group, id: 1)
-      response
-    end
+    subject { get edit_group_crm_contact_path(group, id: 1) }
 
     it_behaves_like 'ok response with index template if authorized'
   end
diff --git a/spec/requests/groups/crm/organizations_controller_spec.rb b/spec/requests/groups/crm/organizations_controller_spec.rb
index 37ffac71772..410fc979262 100644
--- a/spec/requests/groups/crm/organizations_controller_spec.rb
+++ b/spec/requests/groups/crm/organizations_controller_spec.rb
@@ -85,18 +85,19 @@ RSpec.describe Groups::Crm::OrganizationsController do
   end
 
   describe 'GET #index' do
-    subject do
-      get group_crm_organizations_path(group)
-      response
-    end
+    subject { get group_crm_organizations_path(group) }
 
     it_behaves_like 'ok response with index template if authorized'
   end
 
   describe 'GET #new' do
-    subject do
-      get new_group_crm_organization_path(group)
-    end
+    subject { get new_group_crm_organization_path(group) }
+
+    it_behaves_like 'ok response with index template if authorized'
+  end
+
+  describe 'GET #edit' do
+    subject { get edit_group_crm_organization_path(group, id: 1) }
 
     it_behaves_like 'ok response with index template if authorized'
   end
diff --git a/spec/services/ci/create_pipeline_service/creation_errors_and_warnings_spec.rb b/spec/services/ci/create_pipeline_service/creation_errors_and_warnings_spec.rb
index e62a94b6df8..a920b90b97d 100644
--- a/spec/services/ci/create_pipeline_service/creation_errors_and_warnings_spec.rb
+++ b/spec/services/ci/create_pipeline_service/creation_errors_and_warnings_spec.rb
@@ -53,6 +53,24 @@ RSpec.describe Ci::CreatePipelineService do
     end
 
     context 'when failed to create the pipeline' do
+      context 'when errors are raised and masked variables are involved' do
+        let_it_be(:variable) { create(:ci_variable, project: project, key: 'GL_TOKEN', value: 'test_value', masked: true) }
+
+        let(:config) do
+          <<~YAML
+          include:
+            - local: $GL_TOKEN/gitlab-ci.txt
+          YAML
+        end
+
+        it 'contains errors and masks variables' do
+          error_message = "Included file `xxxxxxxxxx/gitlab-ci.txt` does not have YAML extension!"
+          expect(pipeline.yaml_errors).to eq(error_message)
+          expect(pipeline.error_messages.map(&:content)).to contain_exactly(error_message)
+          expect(pipeline.errors.full_messages).to contain_exactly(error_message)
+        end
+      end
+
       context 'when warnings are raised' do
         let(:config) do
           <<~YAML
diff --git a/spec/services/quick_actions/interpret_service_spec.rb b/spec/services/quick_actions/interpret_service_spec.rb
index f7daa1d62ac..85dbc39edcf 100644
--- a/spec/services/quick_actions/interpret_service_spec.rb
+++ b/spec/services/quick_actions/interpret_service_spec.rb
@@ -671,6 +671,19 @@ RSpec.describe QuickActions::InterpretService do
     end
 
     shared_examples 'assign command' do
+      it 'assigns to users with escaped underscores' do
+        user = create(:user)
+        base = user.username
+        user.update!(username: "#{base}_")
+        issuable.project.add_developer(user)
+
+        cmd = "/assign @#{base}\\_"
+
+        _, updates, _ = service.execute(cmd, issuable)
+
+        expect(updates).to eq(assignee_ids: [user.id])
+      end
+
       it 'assigns to a single user' do
         _, updates, _ = service.execute(content, issuable)
 
diff --git a/spec/services/users/create_service_spec.rb b/spec/services/users/create_service_spec.rb
index ab9da82e91c..74340bac055 100644
--- a/spec/services/users/create_service_spec.rb
+++ b/spec/services/users/create_service_spec.rb
@@ -12,7 +12,7 @@ RSpec.describe Users::CreateService do
 
       context 'when required parameters are provided' do
         let(:params) do
-          { name: 'John Doe', username: 'jduser', email: email, password: Gitlab::Password.test_default }
+          { name: 'John Doe', username: 'jduser', email: email, password: 'mydummypass' }
         end
 
         it 'returns a persisted user' do
@@ -82,13 +82,13 @@ RSpec.describe Users::CreateService do
 
       context 'when force_random_password parameter is true' do
         let(:params) do
-          { name: 'John Doe', username: 'jduser', email: 'jd@example.com', password: Gitlab::Password.test_default, force_random_password: true }
+          { name: 'John Doe', username: 'jduser', email: 'jd@example.com', password: 'mydummypass', force_random_password: true }
         end
 
         it 'generates random password' do
           user = service.execute
 
-          expect(user.password).not_to eq Gitlab::Password.test_default
+          expect(user.password).not_to eq 'mydummypass'
           expect(user.password).to be_present
         end
       end
@@ -99,7 +99,7 @@ RSpec.describe Users::CreateService do
             name: 'John Doe',
             username: 'jduser',
             email: 'jd@example.com',
-            password: Gitlab::Password.test_default,
+            password: 'mydummypass',
             password_automatically_set: true
           }
         end
@@ -121,7 +121,7 @@ RSpec.describe Users::CreateService do
 
       context 'when skip_confirmation parameter is true' do
         let(:params) do
-          { name: 'John Doe', username: 'jduser', email: 'jd@example.com', password: Gitlab::Password.test_default, skip_confirmation: true }
+          { name: 'John Doe', username: 'jduser', email: 'jd@example.com', password: 'mydummypass', skip_confirmation: true }
         end
 
         it 'confirms the user' do
@@ -131,7 +131,7 @@ RSpec.describe Users::CreateService do
 
       context 'when reset_password parameter is true' do
         let(:params) do
-          { name: 'John Doe', username: 'jduser', email: 'jd@example.com', password: Gitlab::Password.test_default, reset_password: true }
+          { name: 'John Doe', username: 'jduser', email: 'jd@example.com', password: 'mydummypass', reset_password: true }
         end
 
         it 'resets password even if a password parameter is given' do
@@ -152,7 +152,7 @@ RSpec.describe Users::CreateService do
 
     context 'with nil user' do
       let(:params) do
-        { name: 'John Doe', username: 'jduser', email: 'jd@example.com', password: Gitlab::Password.test_default, skip_confirmation: true }
+        { name: 'John Doe', username: 'jduser', email: 'jd@example.com', password: 'mydummypass', skip_confirmation: true }
       end
 
       let(:service) { described_class.new(nil, params) }
diff --git a/spec/support/helpers/login_helpers.rb b/spec/support/helpers/login_helpers.rb
index c0734bae375..7666d71f13c 100644
--- a/spec/support/helpers/login_helpers.rb
+++ b/spec/support/helpers/login_helpers.rb
@@ -91,11 +91,12 @@ module LoginHelpers
   # user - User instance to login with
   # remember - Whether or not to check "Remember me" (default: false)
   # two_factor_auth - If two-factor authentication is enabled (default: false)
-  def gitlab_sign_in_with(user, remember: false, two_factor_auth: false)
+  # password - password to attempt to login with
+  def gitlab_sign_in_with(user, remember: false, two_factor_auth: false, password: nil)
     visit new_user_session_path
 
     fill_in "user_login", with: user.email
-    fill_in "user_password", with: Gitlab::Password.test_default
+    fill_in "user_password", with: (password || "12345678")
     check 'user_remember_me' if remember
 
     click_button "Sign in"
diff --git a/spec/support/shared_contexts/policies/project_policy_shared_context.rb b/spec/support/shared_contexts/policies/project_policy_shared_context.rb
index 3641edc845a..a78953e8199 100644
--- a/spec/support/shared_contexts/policies/project_policy_shared_context.rb
+++ b/spec/support/shared_contexts/policies/project_policy_shared_context.rb
@@ -15,7 +15,7 @@ RSpec.shared_context 'ProjectPolicy context' do
 
   let(:base_guest_permissions) do
     %i[
-      award_emoji create_issue create_merge_request_in create_note
+      award_emoji create_issue create_note
       create_project read_issue_board read_issue read_issue_iid read_issue_link
       read_label read_planning_hierarchy read_issue_board_list read_milestone read_note read_project
       read_project_for_iids read_project_member read_release read_snippet
@@ -26,12 +26,12 @@ RSpec.shared_context 'ProjectPolicy context' do
   let(:base_reporter_permissions) do
     %i[
       admin_issue admin_issue_link admin_label admin_issue_board_list
-      create_snippet create_incident daily_statistics download_code
+      create_snippet create_incident daily_statistics create_merge_request_in download_code
       download_wiki_code fork_project metrics_dashboard read_build
       read_commit_status read_confidential_issues read_container_image
       read_deployment read_environment read_merge_request
       read_metrics_dashboard_annotation read_pipeline read_prometheus
-      read_sentry_issue update_issue
+      read_sentry_issue update_issue create_merge_request_in
     ]
   end
 
@@ -66,7 +66,7 @@ RSpec.shared_context 'ProjectPolicy context' do
 
   let(:public_permissions) do
     %i[
-      build_download_code build_read_container_image download_code
+      build_download_code build_read_container_image create_merge_request_in download_code
       download_wiki_code fork_project read_commit_status read_container_image
       read_pipeline read_release
     ]
diff --git a/spec/support/shared_examples/policies/project_policy_shared_examples.rb b/spec/support/shared_examples/policies/project_policy_shared_examples.rb
index a4243db6bc9..63e4d458ad4 100644
--- a/spec/support/shared_examples/policies/project_policy_shared_examples.rb
+++ b/spec/support/shared_examples/policies/project_policy_shared_examples.rb
@@ -107,6 +107,19 @@ RSpec.shared_examples 'deploy token does not get confused with user' do
 end
 
 RSpec.shared_examples 'project policies as guest' do
+  context 'abilities for public projects' do
+    let(:project) { public_project }
+    let(:current_user) { guest }
+
+    it do
+      expect_allowed(*guest_permissions)
+      expect_allowed(*public_permissions)
+      expect_disallowed(*developer_permissions)
+      expect_disallowed(*maintainer_permissions)
+      expect_disallowed(*owner_permissions)
+    end
+  end
+
   context 'abilities for non-public projects' do
     let(:project) { private_project }
     let(:current_user) { guest }
diff --git a/spec/tasks/gitlab/password_rake_spec.rb b/spec/tasks/gitlab/password_rake_spec.rb
index ec18d713351..65bba836024 100644
--- a/spec/tasks/gitlab/password_rake_spec.rb
+++ b/spec/tasks/gitlab/password_rake_spec.rb
@@ -3,7 +3,7 @@
 require 'rake_helper'
 
 RSpec.describe 'gitlab:password rake tasks', :silence_stdout do
-  let_it_be(:user_1) { create(:user, username: 'foobar', password: Gitlab::Password.test_default) }
+  let_it_be(:user_1) { create(:user, username: 'foobar', password: 'initial_password') }
 
   def stub_username(username)
     allow(Gitlab::TaskHelpers).to receive(:prompt).with('Enter username: ').and_return(username)
@@ -19,14 +19,14 @@ RSpec.describe 'gitlab:password rake tasks', :silence_stdout do
     Rake.application.rake_require 'tasks/gitlab/password'
 
     stub_username('foobar')
-    stub_password(Gitlab::Password.test_default)
+    stub_password('secretpassword')
   end
 
   describe ':reset' do
     context 'when all inputs are correct' do
       it 'updates the password properly' do
         run_rake_task('gitlab:password:reset', user_1.username)
-        expect(user_1.reload.valid_password?(Gitlab::Password.test_default)).to eq(true)
+        expect(user_1.reload.valid_password?('secretpassword')).to eq(true)
       end
     end
 
@@ -55,7 +55,7 @@ RSpec.describe 'gitlab:password rake tasks', :silence_stdout do
 
     context 'when passwords do not match' do
       before do
-        stub_password(Gitlab::Password.test_default, "different" + Gitlab::Password.test_default)
+        stub_password('randompassword', 'differentpassword')
       end
 
       it 'aborts with an error' do
diff --git a/yarn.lock b/yarn.lock
index a0ef7910326..0987780f489 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -11223,10 +11223,10 @@ svg-tags@^1.0.0:
   resolved "https://registry.yarnpkg.com/svg-tags/-/svg-tags-1.0.0.tgz#58f71cee3bd519b59d4b2a843b6c7de64ac04764"
   integrity sha1-WPcc7jvVGbWdSyqEO2x95krAR2Q=
 
-swagger-ui-dist@^3.52.3:
-  version "3.52.3"
-  resolved "https://registry.yarnpkg.com/swagger-ui-dist/-/swagger-ui-dist-3.52.3.tgz#a09b5cdccac69e3f5f1cbd258654a110119a7f0e"
-  integrity sha512-7QSY4milmYx5O8dbzU5tTftiaoZt+4JGxahTTBiLAnbTvhTyzum9rsjDIJjC+xeT8Tt1KfB38UuQQjmrh2THDQ==
+swagger-ui-dist@4.8.0:
+  version "4.8.0"
+  resolved "https://registry.yarnpkg.com/swagger-ui-dist/-/swagger-ui-dist-4.8.0.tgz#5f39a038a02ffbd5defb8e1921a9ac1620d779ae"
+  integrity sha512-jdcO4XcbwkAtrwvHp90Usjx3d4JZMjaiS02CxBFfuSxr6G8DBXPcK471+N6BcBkwZK7VTgpUBFAyyarsAvKYFQ==
 
 symbol-observable@^1.0.4:
   version "1.2.0"