diff --git a/GITALY_SERVER_VERSION b/GITALY_SERVER_VERSION
index 5d3c635a654..db6470a97ce 100644
--- a/GITALY_SERVER_VERSION
+++ b/GITALY_SERVER_VERSION
@@ -1 +1 @@
-66a4a9452e0ee27a29dd36fffe98ea04dab8ae24
+440ad2b355bdbcf1d2b21ea63be40fddfc788d86
diff --git a/Gemfile b/Gemfile
index 6c2f049f231..07e744c4e37 100644
--- a/Gemfile
+++ b/Gemfile
@@ -473,7 +473,7 @@ gem 'ssh_data', '~> 1.2'
 gem 'spamcheck', '~> 0.1.0'
 
 # Gitaly GRPC protocol definitions
-gem 'gitaly', '~> 14.6.0.pre.rc1'
+gem 'gitaly', '~> 14.8.0.pre.rc1'
 
 # KAS GRPC protocol definitions
 gem 'kas-grpc', '~> 0.0.2'
diff --git a/Gemfile.lock b/Gemfile.lock
index ba7357c3d54..fccbbf02882 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -449,7 +449,7 @@ GEM
       rails (>= 3.2.0)
     git (1.7.0)
       rchardet (~> 1.8)
-    gitaly (14.6.0.pre.rc1)
+    gitaly (14.8.0.pre.rc1)
       grpc (~> 1.0)
     github-markup (1.7.0)
     gitlab (4.16.1)
@@ -1466,7 +1466,7 @@ DEPENDENCIES
   gettext (~> 3.3)
   gettext_i18n_rails (~> 1.8.0)
   gettext_i18n_rails_js (~> 1.3)
-  gitaly (~> 14.6.0.pre.rc1)
+  gitaly (~> 14.8.0.pre.rc1)
   github-markup (~> 1.7.0)
   gitlab-chronic (~> 0.10.5)
   gitlab-dangerfiles (~> 2.8.0)
diff --git a/app/assets/javascripts/diffs/components/app.vue b/app/assets/javascripts/diffs/components/app.vue
index 243ae46bd74..45f8676a1d2 100644
--- a/app/assets/javascripts/diffs/components/app.vue
+++ b/app/assets/javascripts/diffs/components/app.vue
@@ -26,7 +26,6 @@ import {
   TREE_LIST_WIDTH_STORAGE_KEY,
   INITIAL_TREE_WIDTH,
   MIN_TREE_WIDTH,
-  MAX_TREE_WIDTH,
   TREE_HIDE_STATS_WIDTH,
   MR_TREE_SHOW_KEY,
   ALERT_OVERFLOW_HIDDEN,
@@ -622,7 +621,7 @@ export default {
     },
   },
   minTreeWidth: MIN_TREE_WIDTH,
-  maxTreeWidth: MAX_TREE_WIDTH,
+  maxTreeWidth: window.innerWidth / 2,
   howToMergeDocsPath: helpPagePath('user/project/merge_requests/reviews/index.md', {
     anchor: 'checkout-merge-requests-locally-through-the-head-ref',
   }),
diff --git a/app/assets/javascripts/diffs/constants.js b/app/assets/javascripts/diffs/constants.js
index 16d7e4c9464..c2eefad8f40 100644
--- a/app/assets/javascripts/diffs/constants.js
+++ b/app/assets/javascripts/diffs/constants.js
@@ -42,7 +42,6 @@ export const TREE_LIST_WIDTH_STORAGE_KEY = 'mr_tree_list_width';
 
 export const INITIAL_TREE_WIDTH = 320;
 export const MIN_TREE_WIDTH = 240;
-export const MAX_TREE_WIDTH = 400;
 export const TREE_HIDE_STATS_WIDTH = 260;
 
 export const OLD_LINE_KEY = 'old_line';
diff --git a/data/deprecations/14-8-protect-vulnerability-check.yml b/data/deprecations/14-8-protect-vulnerability-check.yml
new file mode 100644
index 00000000000..d8bc68dbd6e
--- /dev/null
+++ b/data/deprecations/14-8-protect-vulnerability-check.yml
@@ -0,0 +1,18 @@
+- name: "Vulnerability Check"
+  announcement_milestone: "14.8"
+  announcement_date: "2021-02-22"
+  removal_milestone: "15.0"
+  removal_date: "2022-05-22"
+  breaking_change: true
+  reporter: sam.white
+  body: | # Do not modify this line, instead modify the lines below.
+    The vulnerability check feature is deprecated in GitLab 14.8 and scheduled for removal in GitLab 15.0. We encourage you to migrate to the new security approvals feature instead. You can do so by navigating to **Security & Compliance > Policies** and creating a new Scan Result Policy.
+
+    The new security approvals feature is similar to vulnerability check. For example, both can require approvals for MRs that contain security vulnerabilities. However, security approvals improve the previous experience in several ways:
+
+    - Users can choose who is allowed to edit security approval rules. An independent security or compliance team can therefore manage rules in a way that prevents development project maintainers from modifying the rules.
+    - Multiple rules can be created and chained together to allow for filtering on different severity thresholds for each scanner type.
+    - A two-step approval process can be enforced for any desired changes to security approval rules.
+    - A single set of security policies can be applied to multiple development projects to allow for ease in maintaining a single, centralized ruleset.
+# The following items are not published on the docs page, but may be used in the future.
+  stage: "Protect"
diff --git a/db/post_migrate/20220111093534_remove_index_on_auto_stop_in.rb b/db/post_migrate/20220111093534_remove_index_on_auto_stop_in.rb
new file mode 100644
index 00000000000..bcb78b28376
--- /dev/null
+++ b/db/post_migrate/20220111093534_remove_index_on_auto_stop_in.rb
@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+class RemoveIndexOnAutoStopIn < Gitlab::Database::Migration[1.0]
+  TABLE = :environments
+  INDEX_NAME = 'index_environments_on_auto_stop_at'
+  COLUMN = :auto_stop_at
+
+  disable_ddl_transaction!
+
+  def up
+    remove_concurrent_index TABLE, COLUMN, where: 'auto_stop_at IS NOT NULL', name: INDEX_NAME
+  end
+
+  def down
+    add_concurrent_index TABLE, COLUMN, where: 'auto_stop_at IS NOT NULL', name: INDEX_NAME
+  end
+end
diff --git a/db/post_migrate/20220111101421_remove_index_on_merge_request_id.rb b/db/post_migrate/20220111101421_remove_index_on_merge_request_id.rb
new file mode 100644
index 00000000000..38cc259312d
--- /dev/null
+++ b/db/post_migrate/20220111101421_remove_index_on_merge_request_id.rb
@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+class RemoveIndexOnMergeRequestId < Gitlab::Database::Migration[1.0]
+  TABLE = :merge_request_context_commits
+  INDEX_NAME = 'index_merge_request_context_commits_on_merge_request_id'
+  COLUMN = :merge_request_id
+
+  disable_ddl_transaction!
+
+  def up
+    remove_concurrent_index TABLE, COLUMN, name: INDEX_NAME
+  end
+
+  def down
+    add_concurrent_index TABLE, COLUMN, name: INDEX_NAME
+  end
+end
diff --git a/db/schema_migrations/20220111093534 b/db/schema_migrations/20220111093534
new file mode 100644
index 00000000000..5999dbdf49a
--- /dev/null
+++ b/db/schema_migrations/20220111093534
@@ -0,0 +1 @@
+ff0127967c3ee6e4f4af528b84024a6a838f8dbeb19cf78d7d913d4fc8e155e7
\ No newline at end of file
diff --git a/db/schema_migrations/20220111101421 b/db/schema_migrations/20220111101421
new file mode 100644
index 00000000000..16d47665734
--- /dev/null
+++ b/db/schema_migrations/20220111101421
@@ -0,0 +1 @@
+abbba4ccacebb825c3f9cb5b0463d457fd4a7b4396a2184a995e496aebaf4521
\ No newline at end of file
diff --git a/db/structure.sql b/db/structure.sql
index 0023d0317b6..1b19fa728a2 100644
--- a/db/structure.sql
+++ b/db/structure.sql
@@ -26080,8 +26080,6 @@ CREATE INDEX index_emails_on_user_id ON emails USING btree (user_id);
 
 CREATE INDEX index_enabled_clusters_on_id ON clusters USING btree (id) WHERE (enabled = true);
 
-CREATE INDEX index_environments_on_auto_stop_at ON environments USING btree (auto_stop_at) WHERE (auto_stop_at IS NOT NULL);
-
 CREATE INDEX index_environments_on_name_varchar_pattern_ops ON environments USING btree (name varchar_pattern_ops);
 
 CREATE UNIQUE INDEX index_environments_on_project_id_and_name ON environments USING btree (project_id, name);
diff --git a/doc/update/deprecations.md b/doc/update/deprecations.md
index 6a2504f64d2..2d805a9b1f1 100644
--- a/doc/update/deprecations.md
+++ b/doc/update/deprecations.md
@@ -705,6 +705,25 @@ The `merged_by` field in the [merge request API](https://docs.gitlab.com/ee/api/
 
 ## 14.8
 
+### Vulnerability Check
+
+WARNING:
+This feature will be changed or removed in 15.0
+as a [breaking change](https://docs.gitlab.com/ee/development/contributing/#breaking-changes).
+Before updating GitLab, review the details carefully to determine if you need to make any
+changes to your code, settings, or workflow.
+
+The vulnerability check feature is deprecated in GitLab 14.8 and scheduled for removal in GitLab 15.0. We encourage you to migrate to the new security approvals feature instead. You can do so by navigating to **Security & Compliance > Policies** and creating a new Scan Result Policy.
+
+The new security approvals feature is similar to vulnerability check. For example, both can require approvals for MRs that contain security vulnerabilities. However, security approvals improve the previous experience in several ways:
+
+- Users can choose who is allowed to edit security approval rules. An independent security or compliance team can therefore manage rules in a way that prevents development project maintainers from modifying the rules.
+- Multiple rules can be created and chained together to allow for filtering on different severity thresholds for each scanner type.
+- A two-step approval process can be enforced for any desired changes to security approval rules.
+- A single set of security policies can be applied to multiple development projects to allow for ease in maintaining a single, centralized ruleset.
+
+**Planned removal milestone: 15.0 (2022-05-22)**
+
 ### `fixup!` commit messages setting draft status of associated Merge Request
 
 The use of `fixup!` as a commit message to trigger draft status
diff --git a/lib/gitlab/git/reference_update_error.rb b/lib/gitlab/git/reference_update_error.rb
new file mode 100644
index 00000000000..bc1452b74f0
--- /dev/null
+++ b/lib/gitlab/git/reference_update_error.rb
@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+module Gitlab
+  module Git
+    # ReferenceUpdateError represents an error that happen when trying to
+    # update a Git reference.
+    class ReferenceUpdateError < StandardError
+      def initialize(message, reference, old_oid, new_oid)
+        @message = message
+        @reference = reference
+        @old_oid = old_oid
+        @new_oid = new_oid
+      end
+    end
+  end
+end
diff --git a/lib/gitlab/gitaly_client/operation_service.rb b/lib/gitlab/gitaly_client/operation_service.rb
index c17934f12c3..adbf07de1b9 100644
--- a/lib/gitlab/gitaly_client/operation_service.rb
+++ b/lib/gitlab/gitaly_client/operation_service.rb
@@ -168,8 +168,12 @@ module Gitlab
 
         raise unless decoded_error.present?
 
-        raise decoded_error
+        # We simply ignore any reference update errors which are typically an
+        # indicator of multiple RPC calls trying to update the same reference
+        # at the same point in time.
+        return if decoded_error.is_a?(Gitlab::Git::ReferenceUpdateError)
 
+        raise decoded_error
       ensure
         request_enum.close
       end
@@ -495,6 +499,12 @@ module Gitlab
           access_check_error = detailed_error.access_check
           # These messages were returned from internal/allowed API calls
           Gitlab::Git::PreReceiveError.new(fallback_message: access_check_error.error_message)
+        when :reference_update
+          reference_update_error = detailed_error.reference_update
+          Gitlab::Git::ReferenceUpdateError.new(err.details,
+                                                reference_update_error.reference_name,
+                                                reference_update_error.old_oid,
+                                                reference_update_error.new_oid)
         else
           # We're handling access_check only for now, but we'll add more detailed error types
           nil
diff --git a/package.json b/package.json
index 54618cd9385..2ddf7433066 100644
--- a/package.json
+++ b/package.json
@@ -57,7 +57,7 @@
     "@gitlab/favicon-overlay": "2.0.0",
     "@gitlab/svgs": "2.2.0",
     "@gitlab/tributejs": "1.0.0",
-    "@gitlab/ui": "33.0.0",
+    "@gitlab/ui": "33.1.0",
     "@gitlab/visual-review-tools": "1.6.1",
     "@rails/actioncable": "6.1.4-1",
     "@rails/ujs": "6.1.4-1",
diff --git a/spec/lib/gitlab/gitaly_client/operation_service_spec.rb b/spec/lib/gitlab/gitaly_client/operation_service_spec.rb
index 27e7d446770..f0115aa6b2b 100644
--- a/spec/lib/gitlab/gitaly_client/operation_service_spec.rb
+++ b/spec/lib/gitlab/gitaly_client/operation_service_spec.rb
@@ -2,6 +2,9 @@
 
 require 'spec_helper'
 
+require 'google/rpc/status_pb'
+require 'google/protobuf/well_known_types'
+
 RSpec.describe Gitlab::GitalyClient::OperationService do
   let_it_be(:user) { create(:user) }
   let_it_be(:project) { create(:project, :repository) }
@@ -185,11 +188,16 @@ RSpec.describe Gitlab::GitalyClient::OperationService do
 
     context 'with an exception with the UserMergeBranchError' do
       let(:permission_error) do
-        GRPC::PermissionDenied.new(
+        new_detailed_error(
+          GRPC::Core::StatusCodes::PERMISSION_DENIED,
           "GitLab: You are not allowed to push code to this project.",
-          { "grpc-status-details-bin" =>
-           "\b\a\x129GitLab: You are not allowed to push code to this project.\x1A\xDE\x01\n/type.googleapis.com/gitaly.UserMergeBranchError\x12\xAA\x01\n\xA7\x01\n1You are not allowed to push code to this project.\x12\x03web\x1A\auser-15\"df15b32277d2c55c6c595845a87109b09c913c556 5d6e0f935ad9240655f64e883cd98fad6f9a17ee refs/heads/master\n" }
-        )
+          Gitaly::UserMergeBranchError.new(
+            access_check: Gitaly::AccessCheckError.new(
+              error_message: "You are not allowed to push code to this project.",
+              protocol: "web",
+              user_id: "user-15",
+              changes: "df15b32277d2c55c6c595845a87109b09c913c556 5d6e0f935ad9240655f64e883cd98fad6f9a17ee refs/heads/master\n"
+            )))
       end
 
       it 'raises PreRecieveError with the error message' do
@@ -217,6 +225,27 @@ RSpec.describe Gitlab::GitalyClient::OperationService do
         expect { subject }.to raise_error(GRPC::PermissionDenied)
       end
     end
+
+    context 'with ReferenceUpdateError' do
+      let(:reference_update_error) do
+        new_detailed_error(GRPC::Core::StatusCodes::FAILED_PRECONDITION,
+                           "some ignored error message",
+                           Gitaly::UserMergeBranchError.new(
+                             reference_update: Gitaly::ReferenceUpdateError.new(
+                               reference_name: "refs/heads/something",
+                               old_oid: "1234",
+                               new_oid: "6789"
+                             )))
+      end
+
+      it 'returns nil' do
+        expect_any_instance_of(Gitaly::OperationService::Stub)
+          .to receive(:user_merge_branch).with(kind_of(Enumerator), kind_of(Hash))
+          .and_raise(reference_update_error)
+
+        expect(subject).to be_nil
+      end
+    end
   end
 
   describe '#user_ff_branch' do
@@ -478,4 +507,14 @@ RSpec.describe Gitlab::GitalyClient::OperationService do
       end
     end
   end
+
+  def new_detailed_error(error_code, error_message, details)
+    status_error = Google::Rpc::Status.new(
+      code: error_code,
+      message: error_message,
+      details: [Google::Protobuf::Any.pack(details)]
+    )
+
+    GRPC::BadStatus.new(error_code, error_message, { "grpc-status-details-bin" => Google::Rpc::Status.encode(status_error) })
+  end
 end
diff --git a/yarn.lock b/yarn.lock
index 0cc3a1bbf5d..6892e79775a 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -924,10 +924,10 @@
   resolved "https://registry.yarnpkg.com/@gitlab/tributejs/-/tributejs-1.0.0.tgz#672befa222aeffc83e7d799b0500a7a4418e59b8"
   integrity sha512-nmKw1+hB6MHvlmPz63yPwVs1qQkycHwsKgxpEbzmky16Y6mL4EJMk3w1b8QlOAF/AIAzjCERPhe/R4MJiohbZw==
 
-"@gitlab/ui@33.0.0":
-  version "33.0.0"
-  resolved "https://registry.yarnpkg.com/@gitlab/ui/-/ui-33.0.0.tgz#d41f59e9acc19af84a80fa14c4ac4eff0b8f6ba5"
-  integrity sha512-os2PmiOIdzlYIv0GoFtvTmBXhl8B4rnzPgibHUOiMZf8n9Oye8LNs9+zA1fk5PRur/SVwmS5+0hIFH7Dyqt9hw==
+"@gitlab/ui@33.1.0":
+  version "33.1.0"
+  resolved "https://registry.yarnpkg.com/@gitlab/ui/-/ui-33.1.0.tgz#45ac2e6362546530b5756b1973f97f74a9c920da"
+  integrity sha512-kSpnGx7UjWxl0s6RBl9njhthD2tSyLHoVd3Q/E3WEE9gdw8VSa4tEeI2srD9eGl2npd/VUvO7tNIXzk5NpjLZg==
   dependencies:
     "@babel/standalone" "^7.0.0"
     bootstrap-vue "2.20.1"