diff --git a/.gitlab/issue_templates/Security developer workflow.md b/.gitlab/issue_templates/Security developer workflow.md
index 1b99a9ba838..d7ed4bf30e4 100644
--- a/.gitlab/issue_templates/Security developer workflow.md	
+++ b/.gitlab/issue_templates/Security developer workflow.md	
@@ -83,4 +83,4 @@ After your merge request has been approved according to our [approval guidelines
 [issue really needs to follow the security release workflow]: https://gitlab.com/gitlab-org/release/docs/-/blob/master/general/security/developer.md#making-sure-the-issue-needs-to-follow-the-security-release-workflow
 [breaking changes workflow]: https://gitlab.com/gitlab-org/release/docs/-/blob/master/general/security/far_reaching_impact_fixes_or_breaking_change_fixes.md
 
-/label ~security ~"security-notifications
+/label ~security ~"security-notifications"
diff --git a/GITALY_SERVER_VERSION b/GITALY_SERVER_VERSION
index 8f4fa68ae18..9648edf91f6 100644
--- a/GITALY_SERVER_VERSION
+++ b/GITALY_SERVER_VERSION
@@ -1 +1 @@
-5e3c8b379dcb1b415daef4e463b76df2c04ac10d
+801a942f21de22cf8ca8f59cca00175deafe7654
diff --git a/doc/administration/dedicated/index.md b/doc/administration/dedicated/index.md
index efe307a4505..107c6fc9108 100644
--- a/doc/administration/dedicated/index.md
+++ b/doc/administration/dedicated/index.md
@@ -374,4 +374,4 @@ GitLab [application logs](../../administration/logs/index.md) are delivered to a
 To gain read only access to this bucket:
 
 1. Open a [support ticket](https://support.gitlab.com/hc/en-us/requests/new?ticket_form_id=4414917877650) with the title "Customer Log Access". In the body of the ticket, include a list of IAM Principal ARNs (users or roles) that are fetching the logs from S3.
-1. GitLab then informs you of the name of the S3 bucket. Your nominated users/roles can then able to list and get all objects in the S3 bucket.
+1. GitLab then informs you of the name of the S3 bucket. Your nominated users/roles are then able to list and get all objects in the S3 bucket.
diff --git a/doc/api/graphql/reference/index.md b/doc/api/graphql/reference/index.md
index c0041899178..693a6f4f153 100644
--- a/doc/api/graphql/reference/index.md
+++ b/doc/api/graphql/reference/index.md
@@ -8121,6 +8121,29 @@ The edge type for [`AlertManagementIntegration`](#alertmanagementintegration).
 | <a id="alertmanagementintegrationedgecursor"></a>`cursor` | [`String!`](#string) | A cursor for use in pagination. |
 | <a id="alertmanagementintegrationedgenode"></a>`node` | [`AlertManagementIntegration`](#alertmanagementintegration) | The item at the end of the edge. |
 
+#### `AmazonS3ConfigurationTypeConnection`
+
+The connection type for [`AmazonS3ConfigurationType`](#amazons3configurationtype).
+
+##### Fields
+
+| Name | Type | Description |
+| ---- | ---- | ----------- |
+| <a id="amazons3configurationtypeconnectionedges"></a>`edges` | [`[AmazonS3ConfigurationTypeEdge]`](#amazons3configurationtypeedge) | A list of edges. |
+| <a id="amazons3configurationtypeconnectionnodes"></a>`nodes` | [`[AmazonS3ConfigurationType]`](#amazons3configurationtype) | A list of nodes. |
+| <a id="amazons3configurationtypeconnectionpageinfo"></a>`pageInfo` | [`PageInfo!`](#pageinfo) | Information to aid in pagination. |
+
+#### `AmazonS3ConfigurationTypeEdge`
+
+The edge type for [`AmazonS3ConfigurationType`](#amazons3configurationtype).
+
+##### Fields
+
+| Name | Type | Description |
+| ---- | ---- | ----------- |
+| <a id="amazons3configurationtypeedgecursor"></a>`cursor` | [`String!`](#string) | A cursor for use in pagination. |
+| <a id="amazons3configurationtypeedgenode"></a>`node` | [`AmazonS3ConfigurationType`](#amazons3configurationtype) | The item at the end of the edge. |
+
 #### `ApprovalProjectRuleConnection`
 
 The connection type for [`ApprovalProjectRule`](#approvalprojectrule).
@@ -13387,7 +13410,7 @@ An endpoint and credentials used to accept Prometheus alerts for a project.
 
 ### `AmazonS3ConfigurationType`
 
-Stores Amazon S3 configurations.
+Stores Amazon S3 configurations for audit event streaming.
 
 #### Fields
 
@@ -17601,6 +17624,7 @@ GPG signature for a signed commit.
 | <a id="groupactualsizelimit"></a>`actualSizeLimit` | [`Float`](#float) | The actual storage size limit (in bytes) based on the enforcement type of either repository or namespace. This limit is agnostic of enforcement type. |
 | <a id="groupadditionalpurchasedstoragesize"></a>`additionalPurchasedStorageSize` | [`Float`](#float) | Additional storage purchased for the root namespace in bytes. |
 | <a id="groupallowstalerunnerpruning"></a>`allowStaleRunnerPruning` | [`Boolean!`](#boolean) | Indicates whether to regularly prune stale group runners. Defaults to false. |
+| <a id="groupamazons3configurations"></a>`amazonS3Configurations` | [`AmazonS3ConfigurationTypeConnection`](#amazons3configurationtypeconnection) | Amazon S3 configurations that receive audit events belonging to the group. (see [Connections](#connections)) |
 | <a id="groupautodevopsenabled"></a>`autoDevopsEnabled` | [`Boolean`](#boolean) | Indicates whether Auto DevOps is enabled for all projects within this group. |
 | <a id="groupavatarurl"></a>`avatarUrl` | [`String`](#string) | Avatar URL of the group. |
 | <a id="groupcontainerrepositoriescount"></a>`containerRepositoriesCount` | [`Int!`](#int) | Number of container repositories in the group. |
diff --git a/doc/user/application_security/policies/scan-result-policies.md b/doc/user/application_security/policies/scan-result-policies.md
index 6f7cf9cac82..381e9895a6b 100644
--- a/doc/user/application_security/policies/scan-result-policies.md
+++ b/doc/user/application_security/policies/scan-result-policies.md
@@ -101,15 +101,10 @@ On GitLab.com, this feature is not available.
 
 ## `scan_finding` rule type
 
-> - The scan result policy field `vulnerability_attributes` was [introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/123052) in GitLab 16.2 [with a flag](../../../administration/feature_flags.md) named `enforce_vulnerability_attributes_rules`. Disabled by default.
-> - [Enabled on GitLab.com and self-managed](https://gitlab.com/gitlab-org/gitlab/-/issues/418784) in GitLab 16.3.
+> - The scan result policy field `vulnerability_attributes` was [introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/123052) in GitLab 16.2 [with a flag](../../../administration/feature_flags.md) named `enforce_vulnerability_attributes_rules`. [Enabled on GitLab.com and self-managed](https://gitlab.com/gitlab-org/gitlab/-/issues/418784) in GitLab 16.3. Feature flag `enforce_vulnerability_attributes_rules` removed in GitLab 16.5.
 > - The scan result policy field `vulnerability_age` was [introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/123956) in GitLab 16.2.
 > - The `branch_exceptions` field was [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/418741) in GitLab 16.3 [with a flag](../../../administration/feature_flags.md) named `security_policies_branch_exceptions`. Enabled by default.
 
-FLAG:
-On self-managed GitLab, by default the `vulnerability_attributes` field is available. To hide the feature, an administrator can [disable the feature flag](../../../administration/feature_flags.md) named `enforce_vulnerability_attributes_rules`.
-On GitLab.com, this feature is available.
-
 FLAG:
 On self-managed GitLab, by default the `branch_exceptions` field is available. To hide the feature, an administrator can [disable the feature flag](../../../administration/feature_flags.md) named `security_policies_branch_exceptions`.
 On GitLab.com, this feature is available.
diff --git a/lib/api/helpers/import_github_helpers.rb b/lib/api/helpers/import_github_helpers.rb
new file mode 100644
index 00000000000..25fe387c3ca
--- /dev/null
+++ b/lib/api/helpers/import_github_helpers.rb
@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+
+module API
+  module Helpers
+    module ImportGithubHelpers
+      def client
+        @client ||= if Feature.enabled?(:remove_legacy_github_client)
+                      Gitlab::GithubImport::Client.new(params[:personal_access_token], host: params[:github_hostname])
+                    else
+                      Gitlab::LegacyGithubImport::Client.new(params[:personal_access_token], **client_options)
+                    end
+      end
+
+      def access_params
+        {
+          github_access_token: params[:personal_access_token],
+          additional_access_tokens: params[:additional_access_tokens]
+        }
+      end
+
+      def client_options
+        { host: params[:github_hostname] }
+      end
+
+      def provider
+        :github
+      end
+
+      def provider_unauthorized
+        error!("Access denied to your #{Gitlab::ImportSources.title(provider.to_s)} account.", 401)
+      end
+
+      def too_many_requests
+        error!('Too Many Requests', 429)
+      end
+    end
+  end
+end
diff --git a/lib/api/import_github.rb b/lib/api/import_github.rb
index 475a03621e8..29dfa7c9f29 100644
--- a/lib/api/import_github.rb
+++ b/lib/api/import_github.rb
@@ -10,38 +10,7 @@ module API
     rescue_from Octokit::Unauthorized, with: :provider_unauthorized
     rescue_from Gitlab::GithubImport::RateLimitError, with: :too_many_requests
 
-    helpers do
-      def client
-        @client ||= if Feature.enabled?(:remove_legacy_github_client)
-                      Gitlab::GithubImport::Client.new(params[:personal_access_token], host: params[:github_hostname])
-                    else
-                      Gitlab::LegacyGithubImport::Client.new(params[:personal_access_token], **client_options)
-                    end
-      end
-
-      def access_params
-        {
-          github_access_token: params[:personal_access_token],
-          additional_access_tokens: params[:additional_access_tokens]
-        }
-      end
-
-      def client_options
-        { host: params[:github_hostname] }
-      end
-
-      def provider
-        :github
-      end
-
-      def provider_unauthorized
-        error!("Access denied to your #{Gitlab::ImportSources.title(provider.to_s)} account.", 401)
-      end
-
-      def too_many_requests
-        error!('Too Many Requests', 429)
-      end
-    end
+    helpers ::API::Helpers::ImportGithubHelpers
 
     desc 'Import a GitHub project' do
       detail 'This feature was introduced in GitLab 11.3.4.'
diff --git a/lib/gitlab/ci/templates/Docker.gitlab-ci.yml b/lib/gitlab/ci/templates/Docker.gitlab-ci.yml
index 1aa346aec67..416f424dfa5 100644
--- a/lib/gitlab/ci/templates/Docker.gitlab-ci.yml
+++ b/lib/gitlab/ci/templates/Docker.gitlab-ci.yml
@@ -11,7 +11,7 @@
 
 docker-build:
   # Use the official docker image.
-  image: docker:latest
+  image: docker:cli
   stage: build
   services:
     - docker:dind
diff --git a/package.json b/package.json
index e13816a1d00..1edf117345e 100644
--- a/package.json
+++ b/package.json
@@ -286,7 +286,7 @@
     "prosemirror-test-builder": "^1.1.1",
     "purgecss": "^4.0.3",
     "purgecss-from-html": "^4.0.3",
-    "sass": "^1.49.9",
+    "sass": "^1.69.0",
     "stylelint": "^15.10.2",
     "swagger-cli": "^4.0.4",
     "timezone-mock": "^1.0.8",
diff --git a/spec/lib/api/helpers/import_github_helpers_spec.rb b/spec/lib/api/helpers/import_github_helpers_spec.rb
new file mode 100644
index 00000000000..72f72023a77
--- /dev/null
+++ b/spec/lib/api/helpers/import_github_helpers_spec.rb
@@ -0,0 +1,69 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe API::Helpers::ImportGithubHelpers, feature_category: :importers do
+  subject do
+    helper = Class.new.include(described_class).new
+    def helper.params = {
+      personal_access_token: 'foo',
+      additional_access_tokens: 'bar',
+      github_hostname: 'github.example.com'
+    }
+    helper
+  end
+
+  describe '#client' do
+    context 'when remove_legacy_github_client is enabled' do
+      before do
+        stub_feature_flags(remove_legacy_github_client: true)
+      end
+
+      it 'returns the new github client' do
+        expect(subject.client).to be_a(Gitlab::GithubImport::Client)
+      end
+    end
+
+    context 'when remove_legacy_github_client is disabled' do
+      before do
+        stub_feature_flags(remove_legacy_github_client: false)
+      end
+
+      it 'returns the old github client' do
+        expect(subject.client).to be_a(Gitlab::LegacyGithubImport::Client)
+      end
+    end
+  end
+
+  describe '#access_params' do
+    it 'makes the passed in personal access token and extra tokens accessible' do
+      expect(subject.access_params).to eq({ github_access_token: 'foo', additional_access_tokens: 'bar' })
+    end
+  end
+
+  describe '#client_options' do
+    it 'makes the GitHub hostname accessible' do
+      expect(subject.client_options).to eq({ host: 'github.example.com' })
+    end
+  end
+
+  describe '#provider' do
+    it 'is GitHub' do
+      expect(subject.provider).to eq(:github)
+    end
+  end
+
+  describe '#provider_unauthorized' do
+    it 'raises an error' do
+      expect(subject).to receive(:error!).with('Access denied to your GitHub account.', 401)
+      subject.provider_unauthorized
+    end
+  end
+
+  describe '#too_many_requests' do
+    it 'raises an error' do
+      expect(subject).to receive(:error!).with('Too Many Requests', 429)
+      subject.too_many_requests
+    end
+  end
+end
diff --git a/yarn.lock b/yarn.lock
index 2c09a7dfbdb..f98ad6d4c5f 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -11762,10 +11762,10 @@ safe-regex@^2.1.1:
   resolved "https://registry.yarnpkg.com/safer-buffer/-/safer-buffer-2.1.2.tgz#44fa161b0187b9549dd84bb91802f9bd8385cd6a"
   integrity sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg==
 
-sass@^1.49.9:
-  version "1.49.9"
-  resolved "https://registry.yarnpkg.com/sass/-/sass-1.49.9.tgz#b15a189ecb0ca9e24634bae5d1ebc191809712f9"
-  integrity sha512-YlYWkkHP9fbwaFRZQRXgDi3mXZShslVmmo+FVK3kHLUELHHEYrCmL1x6IUjC7wLS6VuJSAFXRQS/DxdsC4xL1A==
+sass@^1.69.0:
+  version "1.69.0"
+  resolved "https://registry.yarnpkg.com/sass/-/sass-1.69.0.tgz#5195075371c239ed556280cf2f5944d234f42679"
+  integrity sha512-l3bbFpfTOGgQZCLU/gvm1lbsQ5mC/WnLz3djL2v4WCJBDrWm58PO+jgngcGRNnKUh6wSsdm50YaovTqskZ0xDQ==
   dependencies:
     chokidar ">=3.0.0 <4.0.0"
     immutable "^4.0.0"