From ab5132651a3c78adcbfffd20d1f9d0da437ee85b Mon Sep 17 00:00:00 2001
From: GitLab Bot <gitlab-bot@gitlab.com>
Date: Thu, 12 Jun 2025 00:12:54 +0000
Subject: [PATCH] Add latest changes from gitlab-org/gitlab@master

---
 CHANGELOG.md                                  |  56 ++++++
 GITLAB_KAS_VERSION                            |   2 +-
 .../behaviors/components/json_table.vue       |  11 +-
 .../behaviors/markdown/render_json_table.js   |   6 +-
 .../groups/components/group_name_and_path.vue |   2 +-
 .../groups/components/new_edit_form.vue       |   2 +-
 .../import_from_gitlab_export_app.vue         |   2 +-
 .../general/components/advanced_settings.vue  |   4 +-
 .../general/components/change_url.vue         |  21 +--
 .../components/organization_settings.vue      |  18 +-
 .../projects/components/new_edit_form.vue     |   2 +-
 .../shared_project_creation_fields.vue        |   2 +-
 .../search/results/components/blob_header.vue |  14 +-
 .../components/create_work_item.vue           |  13 +-
 .../shared/work_item_namespace_listbox.vue    |   1 -
 .../components/work_item_breadcrumb.vue       |   2 +-
 .../work_item_projects_listbox.vue            |  13 +-
 ...ce_projects_for_links_widget.query.graphql |   9 +-
 app/assets/javascripts/work_items/index.js    |   6 +-
 .../work_items/pages/create_work_item.vue     |  14 +-
 .../rapid_diffs/diff_file_component.rb        |   8 +-
 .../rapid_diffs/streaming_resource.rb         |  34 ++--
 app/controllers/glql/base_controller.rb       |   4 +-
 app/controllers/groups/uploads_controller.rb  |   1 -
 .../groups/work_items_controller.rb           |   8 +-
 app/controllers/projects/issues_controller.rb |   3 +-
 .../merge_requests/diffs_stream_controller.rb |   8 +-
 app/controllers/projects_controller.rb        |   5 +-
 .../http_integration/create.rb                |   7 +
 .../http_integration/http_integration_base.rb |   4 +-
 app/helpers/application_settings_helper.rb    |   2 +
 app/models/application_setting.rb             |   4 +
 .../application_setting_implementation.rb     |   2 +
 app/models/board.rb                           |   2 +-
 .../concerns/integrations/base/asana.rb       |   7 +-
 .../concerns/integrations/base/assembla.rb    |   2 +-
 .../concerns/integrations/base/bamboo.rb      |   4 +-
 .../integrations/base/external_wiki.rb        |   2 +-
 .../integrations/base/hangouts_chat.rb        |   2 +-
 .../integrations/base/issue_tracker.rb        |   2 +-
 .../concerns/integrations/base/mock_ci.rb     |   2 +-
 .../integrations/base/pivotaltracker.rb       |   2 +-
 .../concerns/integrations/base/pumble.rb      |   2 +-
 .../concerns/integrations/base/pushover.rb    |   2 +-
 .../concerns/integrations/base/teamcity.rb    |   4 +-
 .../concerns/integrations/base/telegram.rb    |   4 +-
 .../integrations/base/unify_circuit.rb        |   2 +-
 .../concerns/integrations/base/webex_teams.rb |   3 +-
 .../integrations/slack_mattermost_notifier.rb |   2 +-
 app/models/concerns/web_hooks/hook.rb         |  10 +-
 app/models/integrations/buildkite.rb          |   2 +-
 app/models/integrations/campfire.rb           |   4 +-
 app/models/integrations/drone_ci.rb           |   2 +-
 app/models/integrations/matrix.rb             |   2 +-
 .../remote_file.rb                            |   4 +-
 .../slack_installation/base_service.rb        |   2 +-
 .../incident_modal_closed_service.rb          |   2 +-
 .../incident_modal_submit_service.rb          |   2 +-
 .../proxy_lifecycle_event_service.rb          |   2 +-
 .../lfs_download_link_list_service.rb         |   4 +-
 .../lfs_pointers/lfs_download_service.rb      |   5 +-
 app/services/web_hook_service.rb              |   1 +
 .../application_setting_response_limits.json  |  10 ++
 app/views/admin/labels/index.html.haml        |   2 +
 app/views/groups/labels/index.html.haml       |   2 +
 .../import/shared/_new_project_form.html.haml |   2 +-
 .../projects/_new_project_fields.html.haml    |   2 +-
 app/views/projects/labels/index.html.haml     |   8 +-
 .../empty_states/_priority_labels.html.haml   |   4 +-
 .../jira_connect/retry_request_worker.rb      |   2 +-
 config/initializers/net_http.rb               |  62 +++++--
 ...ll_bulk_import_export_batches_group_id.yml |   2 +-
 ...agement_repository_states_namespace_id.yml |   2 +-
 ...fill_design_user_mentions_namespace_id.yml |   2 +-
 .../backfill_issuable_slas_namespace_id.yml   |   2 +-
 ...ize_backfill_issuable_slas_namespace_id.rb |  20 +++
 ...ill_bulk_import_export_batches_group_id.rb |  20 +++
 ...kfill_design_user_mentions_namespace_id.rb |  21 +++
 ...nagement_repository_states_namespace_id.rb |  21 +++
 db/schema_migrations/20250605204337           |   1 +
 db/schema_migrations/20250610152957           |   1 +
 db/schema_migrations/20250611095947           |   1 +
 db/schema_migrations/20250611100647           |   1 +
 doc/administration/gitaly/praefect.md         |   9 +
 doc/administration/instance_limits.md         |  32 ++++
 doc/api/graphql/reference/_index.md           |   9 +-
 doc/api/settings.md                           |   2 +
 .../import/principles_of_importer_design.md   |   8 +-
 doc/development/integrations/_index.md        |   7 +-
 doc/user/gitlab_duo_chat/_index.md            |   3 +-
 doc/user/project/settings/import_export.md    |   2 +
 gems/gitlab-http/.rubocop.yml                 |   3 +
 gems/gitlab-http/lib/gitlab/http_v2/client.rb |  39 ++---
 .../lib/gitlab/http_v2/exceptions.rb          |   4 +-
 gems/gitlab-http/spec/gitlab/http_v2_spec.rb  | 103 +++++------
 lib/api/notes.rb                              |   4 +-
 lib/atlassian/jira_connect/client.rb          |   8 +-
 lib/bitbucket/app_password_connection.rb      |   2 +-
 lib/bitbucket_server/connection.rb            |   6 +-
 lib/bulk_imports/clients/graphql.rb           |   2 +-
 lib/bulk_imports/clients/http.rb              |   8 +-
 lib/gitlab/chat/responder/mattermost.rb       |   2 +-
 lib/gitlab/chat/responder/slack.rb            |   2 +-
 lib/gitlab/diff/file.rb                       |   4 +
 lib/gitlab/fogbugz_import/http_adapter.rb     |   2 +-
 lib/gitlab/git_access.rb                      |   5 +-
 lib/gitlab/git_access_snippet.rb              |   4 +-
 .../representation/gist.rb                    |   2 +-
 .../github_import/attachments_downloader.rb   |   2 +-
 lib/gitlab/harbor/client.rb                   |   4 +-
 lib/gitlab/http.rb                            |  18 ++
 lib/gitlab/jira/http_client.rb                |   2 +-
 lib/gitlab/prometheus_client.rb               |   2 +-
 lib/gitlab/slash_commands/verify_request.rb   |   2 +-
 lib/gitlab/zentao/client.rb                   |   2 +-
 lib/import/clients/http.rb                    |  51 ++++++
 lib/integrations/clients/http.rb              |  51 ++++++
 lib/mattermost/session.rb                     |   6 +-
 lib/microsoft_teams/notifier.rb               |   2 +-
 lib/slack/api.rb                              |   2 +-
 locale/gitlab.pot                             |  30 ++--
 .../rapid_diffs/streaming_resource_spec.rb    |  31 +++-
 spec/controllers/glql/base_controller_spec.rb |  63 +++++--
 ...cy_proxy_for_containers_controller_spec.rb |  28 +--
 spec/controllers/projects_controller_spec.rb  |  33 ++++
 spec/factories/deploy_tokens.rb               |   8 +
 .../dependency_proxy_for_containers_spec.rb   |   8 +-
 .../concerns/packages/finder_helper_spec.rb   |   9 +-
 .../packages/group_packages_finder_spec.rb    |   6 +-
 .../behaviors/components/json_table_spec.js   |  91 +++++-----
 .../markdown/render_json_table_spec.js        |  27 +++
 .../general/components/change_url_spec.js     |  10 --
 .../components/organization_settings_spec.js  |  13 +-
 .../results/components/blob_header_spec.js    |  97 +++++++++++
 .../work_item_namespace_listbox_spec.js       |   8 -
 .../components/work_item_breadcrumb_spec.js   |  22 ++-
 .../work_item_projects_listbox_spec.js        |  53 ++----
 .../work_items/pages/create_work_item_spec.js |  60 +++++--
 .../http_integration/create_spec.rb           |  30 +++-
 spec/initializers/net_http_spec.rb            | 162 +++++++++---------
 .../bitbucket/app_password_connection_spec.rb |   9 +-
 spec/lib/bulk_imports/clients/http_spec.rb    |   1 +
 .../gitlab/chat/responder/mattermost_spec.rb  |   2 +-
 spec/lib/gitlab/chat/responder/slack_spec.rb  |   4 +-
 spec/lib/gitlab/diff/file_spec.rb             |  14 ++
 spec/lib/gitlab/git_access_spec.rb            |   4 +-
 .../attachments_downloader_spec.rb            |  21 +--
 spec/lib/gitlab/http_spec.rb                  |  42 +++++
 spec/lib/import/clients/http_spec.rb          |  22 +++
 spec/lib/integrations/clients/http_spec.rb    |  22 +++
 spec/models/board_spec.rb                     |  13 ++
 spec/models/ci/build_spec.rb                  |  10 +-
 spec/models/deploy_token_spec.rb              |   9 +-
 spec/models/integrations/matrix_spec.rb       |   6 +-
 spec/models/project_spec.rb                   |   6 -
 spec/policies/group_policy_spec.rb            |  12 +-
 .../dependency_proxy/group_policy_spec.rb     |   8 +-
 .../packages/policies/group_policy_spec.rb    |   8 +-
 spec/policies/project_policy_spec.rb          |  18 +-
 .../api/cargo_project_packages_spec.rb        |   6 +-
 spec/requests/api/composer_packages_spec.rb   |   6 +-
 spec/requests/api/generic_packages_spec.rb    |   9 +-
 .../http_integration/create_spec.rb           |  26 +++
 spec/requests/api/helm_packages_spec.rb       |   3 +-
 spec/requests/api/maven_packages_spec.rb      |  23 ++-
 .../api/nuget_project_packages_spec.rb        |   6 +-
 spec/requests/api/pypi_packages_spec.rb       |   3 +-
 .../requests/api/rpm_project_packages_spec.rb |   6 +-
 spec/requests/api/rubygem_packages_spec.rb    |   3 +-
 .../groups/work_items_controller_spec.rb      |  23 +++
 .../remote_file_spec.rb                       |   6 +-
 .../incident_modal_closed_service_spec.rb     |   5 +-
 .../incident_modal_submit_service_spec.rb     |  36 ++--
 .../lfs_download_link_list_service_spec.rb    |   4 +-
 .../api/npm_packages_shared_context.rb        |   3 +-
 .../api/terraform_modules_shared_context.rb   |   5 +-
 .../http_integrations_shared_examples.rb      |   4 +-
 .../base/asana_shared_examples.rb             |   6 +-
 .../base/telegram_shared_examples.rb          |   6 +-
 .../web_hooks/web_hook_shared_examples.rb     |  29 ++++
 .../project_policy_shared_examples.rb         |   4 +
 .../services/deploy_token_shared_examples.rb  |  17 +-
 182 files changed, 1535 insertions(+), 704 deletions(-)
 create mode 100644 db/post_migrate/20250605204337_finalize_backfill_issuable_slas_namespace_id.rb
 create mode 100644 db/post_migrate/20250610152957_finalize_backfill_bulk_import_export_batches_group_id.rb
 create mode 100644 db/post_migrate/20250611095947_finalize_backfill_design_user_mentions_namespace_id.rb
 create mode 100644 db/post_migrate/20250611100647_finalize_backfill_design_management_repository_states_namespace_id.rb
 create mode 100644 db/schema_migrations/20250605204337
 create mode 100644 db/schema_migrations/20250610152957
 create mode 100644 db/schema_migrations/20250611095947
 create mode 100644 db/schema_migrations/20250611100647
 create mode 100644 lib/import/clients/http.rb
 create mode 100644 lib/integrations/clients/http.rb
 create mode 100644 spec/lib/import/clients/http_spec.rb
 create mode 100644 spec/lib/integrations/clients/http_spec.rb

diff --git a/CHANGELOG.md b/CHANGELOG.md
index ced32a47214..e41954fd8d5 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,27 @@
 documentation](doc/development/changelog.md) for instructions on adding your own
 entry.
 
+## 18.0.2 (2025-06-11)
+
+### Fixed (5 changes)
+
+- [Fix Upgrade to 18.0: No such column](https://gitlab.com/gitlab-org/security/gitlab/-/commit/bde20c3f31d324493d032be57be4465f0919760e)
+- [Fix IDE links returns about:blank in old code dropdown](https://gitlab.com/gitlab-org/security/gitlab/-/commit/633864727f574f9d9b93826bb76d66a790382915)
+- [Fix the title/body issue for todo apis when it is a duo todo](https://gitlab.com/gitlab-org/security/gitlab/-/commit/d8080ea15af34cf804ce024b207f2fa4817c87a6) **GitLab Enterprise Edition**
+- [Fix gitpod button is missing in the edit dropdown](https://gitlab.com/gitlab-org/security/gitlab/-/commit/4bbef760c63924f2821233d98dc04c1982751430)
+- [Move fork_networks organization_id NOT NULL to post-migrate](https://gitlab.com/gitlab-org/security/gitlab/-/commit/2bbea09c16044981bf316dd43544a87e4bf67147)
+
+### Security (8 changes)
+
+- [Protect webhook from excessive payload lengths](https://gitlab.com/gitlab-org/security/gitlab/-/commit/990fae5b6be86c6769c2086578ae2096762e21a8) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/5059))
+- [Endless Redirect Loop in any project when query param "format" is "git"](https://gitlab.com/gitlab-org/security/gitlab/-/commit/fdbfb6cd14973800abeec182823bcfa647a1a5a8) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/5038))
+- [Backport for "Add validation for board name length" to 18-0 stable](https://gitlab.com/gitlab-org/security/gitlab/-/commit/ba616a03359751fc3add6f8504c79f4381efa703) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/5044))
+- [Fix # #1329 - IDOR in compliance framework export endpoint](https://gitlab.com/gitlab-org/security/gitlab/-/commit/ffea57e8e171b120f5f66fe81da39a21e5ab0258) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/5041))
+- [Fix authorization for compliance frameworks projects](https://gitlab.com/gitlab-org/security/gitlab/-/commit/0d783852162009bc5286a939534f2a5e2f1ae7ef) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/5034))
+- [security: Git redirection inconsistency](https://gitlab.com/gitlab-org/security/gitlab/-/commit/3fb95759edb3e7729b981bf48140ef9a05a32761) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/5020))
+- [Fix XSS with CSP bypass in JSON tables](https://gitlab.com/gitlab-org/security/gitlab/-/commit/fcfebf2f188ed90eea3f7db92ebeedcbadc6504d) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/5022))
+- [Limit HTTP response size](https://gitlab.com/gitlab-org/security/gitlab/-/commit/f8bf80825e1bd802be7be374905600059abd2726) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/5014))
+
 ## 18.0.1 (2025-05-21)
 
 ### Fixed (1 change)
@@ -856,6 +877,24 @@ entry.
 - [Finalize migration BackfillContainerRepositoryStatesProjectId](https://gitlab.com/gitlab-org/gitlab/-/commit/78f333c76a39d0a85938318b3be49905c19074e6) ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/185869))
 - [Finalize migration BackfillPackagesRpmMetadataProjectId](https://gitlab.com/gitlab-org/gitlab/-/commit/d066d88be1fff7cfcf64017124af797e085a4b4f) ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/184553))
 
+## 17.11.4 (2025-06-11)
+
+### Fixed (2 changes)
+
+- [Fix gitpod button is missing in the edit dropdown](https://gitlab.com/gitlab-org/security/gitlab/-/commit/813a005dc240c1bfafc313ded694317a96f1a877)
+- [Attempt to migrate ci_runner_taggings table (try 2)](https://gitlab.com/gitlab-org/security/gitlab/-/commit/706a075f79838d5d8421c5eae2e96a7601164201)
+
+### Security (8 changes)
+
+- [Protect webhook from excessive payload lengths](https://gitlab.com/gitlab-org/security/gitlab/-/commit/a0d74cdeed26661b221446efc90fb5bd19b54d95) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/5060))
+- [Endless Redirect Loop in any project when query param "format" is "git"](https://gitlab.com/gitlab-org/security/gitlab/-/commit/24d25f0b270337679bcfe282370ad169d137471f) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/5039))
+- [Backport for "Add validation for board name length" to 17-11-stable](https://gitlab.com/gitlab-org/security/gitlab/-/commit/5ed051286369ec256431faeb44a16c848b6d0edc) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/5045))
+- [Fix # #1329 - IDOR in compliance framework export endpoint](https://gitlab.com/gitlab-org/security/gitlab/-/commit/071c88429e0974fdf1c0d67e7ba9d1f419843244) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/5043))
+- [security: Git redirection inconsistency](https://gitlab.com/gitlab-org/security/gitlab/-/commit/373f9840af59eae05b14ea200fa10c1e4ecd7367) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/5019))
+- [Fix XSS with CSP bypass in JSON tables](https://gitlab.com/gitlab-org/security/gitlab/-/commit/862a14acb446e9f7ce962404d8d472b19d832ff8) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4987))
+- [Limit HTTP response size](https://gitlab.com/gitlab-org/security/gitlab/-/commit/94d20db29203681d75da5642fe4d1da51238863e) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/5015))
+- [Fix authorization for compliance frameworks projects](https://gitlab.com/gitlab-org/security/gitlab/-/commit/0eecdfe1df4254e2674efe9c0e309d9325db5c4b) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/5035))
+
 ## 17.11.3 (2025-05-21)
 
 ### Fixed (1 change)
@@ -1683,6 +1722,23 @@ entry.
 - [Remove feature flag allow_merge_request_pipelines_from_fork](https://gitlab.com/gitlab-org/gitlab/-/commit/b62f9187a57cc5ba66ce26889516cc55a425181a) ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/182862))
 - [Finalize migration BackfillNewAuditEventTables](https://gitlab.com/gitlab-org/gitlab/-/commit/1bc0f07ffd3af5b9fab8a0ea0b1af5f2759d25db) ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/181881))
 
+## 17.10.8 (2025-06-11)
+
+### Fixed (2 changes)
+
+- [Fix gitpod button is missing in the edit dropdown](https://gitlab.com/gitlab-org/security/gitlab/-/commit/c3ad6f66e6f17a5bf8fa2489a7335dfa58fc55a6)
+- [Attempt to migrate ci_runner_taggings table (try 2)](https://gitlab.com/gitlab-org/security/gitlab/-/commit/c2520ea439dcb4fee531fcc39efc85ab4b607a6c)
+
+### Security (7 changes)
+
+- [Protect webhook from excessive payload lengths](https://gitlab.com/gitlab-org/security/gitlab/-/commit/1fb7390786ae5c22ec7f1bc172423a76835aa14c) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/5061))
+- [Endless Redirect Loop in any project when query param "format" is "git"](https://gitlab.com/gitlab-org/security/gitlab/-/commit/fddb00a30506eb534dc9e1f5c1923eee3e33c0b3) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/5040))
+- [Backport for "Add validation for board name length" to 17-10-stable](https://gitlab.com/gitlab-org/security/gitlab/-/commit/a69cf8ef367ef1897158af0619cd537fe5d2a5df) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/5046))
+- [Fix # #1329 - IDOR in compliance framework export endpoint](https://gitlab.com/gitlab-org/security/gitlab/-/commit/7b4f9e9fb7411a18185ada44dc88dd264e6a228b) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/5042))
+- [security: Git redirection inconsistency](https://gitlab.com/gitlab-org/security/gitlab/-/commit/12003cbfb9b4081a352724922e6ed9aa97656ace) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4900))
+- [Fix XSS with CSP bypass in JSON tables](https://gitlab.com/gitlab-org/security/gitlab/-/commit/1b02f9ed79b3a999baae5c02fa4f26c487927cba) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4988))
+- [Limit HTTP response size](https://gitlab.com/gitlab-org/security/gitlab/-/commit/1411cb581f68400b5370d694cce3c67e5f0e2294) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/5016))
+
 ## 17.10.7 (2025-05-21)
 
 ### Security (9 changes)
diff --git a/GITLAB_KAS_VERSION b/GITLAB_KAS_VERSION
index 414cd38fe74..807ca0e3226 100644
--- a/GITLAB_KAS_VERSION
+++ b/GITLAB_KAS_VERSION
@@ -1 +1 @@
-3a09d6c84e9ac6d32832372afd9c6100a56a2b24
+060d5cb6dbc76ef1344a8fabf21cbae551ecab90
diff --git a/app/assets/javascripts/behaviors/components/json_table.vue b/app/assets/javascripts/behaviors/components/json_table.vue
index 24bbb210cf5..d08f08341d7 100644
--- a/app/assets/javascripts/behaviors/components/json_table.vue
+++ b/app/assets/javascripts/behaviors/components/json_table.vue
@@ -2,7 +2,7 @@
 import { GlTable, GlFormInput } from '@gitlab/ui';
 import { memoize } from 'lodash';
 import { __ } from '~/locale';
-import { sanitize } from '~/lib/dompurify';
+import { sanitize, defaultConfig } from '~/lib/dompurify';
 import SafeHtml from '~/vue_shared/directives/safe_html';
 
 const domParser = new DOMParser();
@@ -74,6 +74,11 @@ export default {
       return `cell(${field.key})`;
     },
   },
+  safeHtmlConfig: {
+    ...defaultConfig,
+    FORBID_ATTR: [...defaultConfig.FORBID_ATTR, 'class', 'style'],
+    ALLOW_DATA_ATTR: false,
+  },
 };
 </script>
 <template>
@@ -92,11 +97,11 @@ export default {
       class="!gl-mt-0"
     >
       <template v-if="isHtmlSafe" #cell()="data">
-        <div v-safe-html="data.value"></div>
+        <div v-safe-html:[$options.safeHtmlConfig]="data.value"></div>
       </template>
       <template v-else #cell()="data">{{ data.value }}</template>
       <template v-if="caption" #table-caption>
-        <small v-if="isHtmlSafe" v-safe-html="caption"></small>
+        <small v-if="isHtmlSafe" v-safe-html:[$options.safeHtmlConfig]="caption"></small>
         <small v-else>{{ caption }}</small>
       </template>
     </gl-table>
diff --git a/app/assets/javascripts/behaviors/markdown/render_json_table.js b/app/assets/javascripts/behaviors/markdown/render_json_table.js
index 26b74a6f9ff..60ad021cabb 100644
--- a/app/assets/javascripts/behaviors/markdown/render_json_table.js
+++ b/app/assets/javascripts/behaviors/markdown/render_json_table.js
@@ -29,8 +29,8 @@ const mountParseError = (element) => {
   });
 };
 
-const mountJSONTableVueComponent = (userData, element) => {
-  const { fields = [], items = [], filter, caption, isHtmlSafe } = userData;
+const mountJSONTableVueComponent = (userData, element, isHtmlSafe = false) => {
+  const { fields = [], items = [], filter, caption } = userData;
   const container = document.createElement('div');
 
   element.classList.add('js-json-table');
@@ -97,7 +97,7 @@ const renderTableHTML = (element) => {
       ),
     );
 
-    mountJSONTableVueComponent({ fields, filter, caption, items, isHtmlSafe: markdown }, parent);
+    mountJSONTableVueComponent({ fields, filter, caption, items }, parent, Boolean(markdown));
   } catch (e) {
     mountParseError(parent);
   }
diff --git a/app/assets/javascripts/groups/components/group_name_and_path.vue b/app/assets/javascripts/groups/components/group_name_and_path.vue
index cf866897721..91e205f6532 100644
--- a/app/assets/javascripts/groups/components/group_name_and_path.vue
+++ b/app/assets/javascripts/groups/components/group_name_and_path.vue
@@ -34,7 +34,7 @@ export default {
   i18n: {
     inputs: {
       name: {
-        placeholder: __('My awesome group'),
+        placeholder: __('My group'),
         description: s__(
           'Groups|Must start with letter, digit, emoji, or underscore. Can also contain periods, dashes, spaces, and parentheses.',
         ),
diff --git a/app/assets/javascripts/groups/components/new_edit_form.vue b/app/assets/javascripts/groups/components/new_edit_form.vue
index f47066123b5..ecc98f2ca34 100644
--- a/app/assets/javascripts/groups/components/new_edit_form.vue
+++ b/app/assets/javascripts/groups/components/new_edit_form.vue
@@ -96,7 +96,7 @@ export default {
           ],
           inputAttrs: {
             width: { md: 'lg' },
-            placeholder: __('My awesome group'),
+            placeholder: __('My group'),
           },
           groupAttrs: {
             description: s__(
diff --git a/app/assets/javascripts/import/gitlab_project/import_from_gitlab_export_app.vue b/app/assets/javascripts/import/gitlab_project/import_from_gitlab_export_app.vue
index 4eddd30880b..481c5bb5fec 100644
--- a/app/assets/javascripts/import/gitlab_project/import_from_gitlab_export_app.vue
+++ b/app/assets/javascripts/import/gitlab_project/import_from_gitlab_export_app.vue
@@ -173,7 +173,7 @@ export default {
             :pattern="$options.projectNamePattern"
             name="name"
             required
-            :placeholder="s__('ProjectsNew|My awesome project')"
+            :placeholder="s__('ProjectsNew|My project')"
             data-testid="project-name"
           />
         </gl-form-group>
diff --git a/app/assets/javascripts/organizations/settings/general/components/advanced_settings.vue b/app/assets/javascripts/organizations/settings/general/components/advanced_settings.vue
index 0ecfd3198ee..b394c77a6d2 100644
--- a/app/assets/javascripts/organizations/settings/general/components/advanced_settings.vue
+++ b/app/assets/javascripts/organizations/settings/general/components/advanced_settings.vue
@@ -9,7 +9,9 @@ export default {
   i18n: {
     settingsBlock: {
       title: __('Advanced'),
-      description: s__('Organization|Perform advanced options such as deleting the organization.'),
+      description: s__(
+        'Organization|Perform advanced options such as changing the organization URL.',
+      ),
     },
   },
   props: {
diff --git a/app/assets/javascripts/organizations/settings/general/components/change_url.vue b/app/assets/javascripts/organizations/settings/general/components/change_url.vue
index 7e4a6cc6030..2af6263438d 100644
--- a/app/assets/javascripts/organizations/settings/general/components/change_url.vue
+++ b/app/assets/javascripts/organizations/settings/general/components/change_url.vue
@@ -16,9 +16,6 @@ export default {
   inject: ['organization'],
   i18n: {
     cardHeaderTitle: s__('Organization|Change organization URL'),
-    cardHeaderDescription: s__(
-      "Organization|Changing an organization's URL can have unintended side effects.",
-    ),
     submitButtonText: s__('Organization|Change organization URL'),
     errorMessage: s__(
       'Organization|An error occurred changing your organization URL. Please try again.',
@@ -45,11 +42,6 @@ export default {
       errors: [],
     };
   },
-  computed: {
-    isSubmitButtonDisabled() {
-      return this.formValues.path === this.organization.path;
-    },
-  },
   methods: {
     async onSubmit() {
       this.errors = [];
@@ -84,7 +76,6 @@ export default {
         ]);
       } catch (error) {
         createAlert({ message: this.$options.i18n.errorMessage, error, captureError: true });
-      } finally {
         this.loading = false;
       }
     },
@@ -100,7 +91,6 @@ export default {
         <div class="gl-flex gl-grow">
           <h4 class="gl-m-0 gl-text-base gl-leading-24">{{ $options.i18n.cardHeaderTitle }}</h4>
         </div>
-        <p class="gl-m-0 gl-text-sm gl-text-subtle">{{ $options.i18n.cardHeaderDescription }}</p>
       </template>
       <gl-form :id="$options.formId">
         <gl-form-fields
@@ -120,14 +110,9 @@ export default {
           </template>
         </gl-form-fields>
         <div class="gl-flex gl-gap-3">
-          <gl-button
-            type="submit"
-            variant="danger"
-            class="js-no-auto-disable"
-            :loading="loading"
-            :disabled="isSubmitButtonDisabled"
-            >{{ $options.i18n.submitButtonText }}</gl-button
-          >
+          <gl-button type="submit" variant="danger" class="js-no-auto-disable" :loading="loading">{{
+            $options.i18n.submitButtonText
+          }}</gl-button>
         </div>
       </gl-form>
     </gl-card>
diff --git a/app/assets/javascripts/organizations/settings/general/components/organization_settings.vue b/app/assets/javascripts/organizations/settings/general/components/organization_settings.vue
index 36054960844..44ebd2bcffe 100644
--- a/app/assets/javascripts/organizations/settings/general/components/organization_settings.vue
+++ b/app/assets/javascripts/organizations/settings/general/components/organization_settings.vue
@@ -1,4 +1,5 @@
 <script>
+import { GlSprintf } from '@gitlab/ui';
 import { s__, __ } from '~/locale';
 import { createAlert } from '~/alert';
 import { visitUrlWithAlerts } from '~/lib/utils/url_utility';
@@ -11,19 +12,22 @@ import {
 } from '~/organizations/shared/constants';
 import FormErrorsAlert from '~/organizations/shared/components/errors_alert.vue';
 import SettingsBlock from '~/vue_shared/components/settings/settings_block.vue';
+import HelpPageLink from '~/vue_shared/components/help_page_link/help_page_link.vue';
 import { convertToGraphQLId } from '~/graphql_shared/utils';
 import { TYPE_ORGANIZATION } from '~/graphql_shared/constants';
 import organizationUpdateMutation from '../graphql/mutations/organization_update.mutation.graphql';
 
 export default {
   name: 'OrganizationSettings',
-  components: { NewEditForm, SettingsBlock, FormErrorsAlert },
+  components: { NewEditForm, SettingsBlock, FormErrorsAlert, HelpPageLink, GlSprintf },
   inject: ['organization'],
   i18n: {
     submitButtonText: __('Save changes'),
     settingsBlock: {
       title: s__('Organization|Organization settings'),
-      description: s__('Organization|Update your organization name, description, and avatar.'),
+      description: s__(
+        'Organization|Update your organization name, description, and avatar. %{linkStart}Learn more about organizations%{linkEnd}.',
+      ),
     },
     errorMessage: s__(
       'Organization|An error occurred updating your organization. Please try again.',
@@ -116,7 +120,15 @@ export default {
     :title="$options.i18n.settingsBlock.title"
     @toggle-expand="$emit('toggle-expand', $event)"
   >
-    <template #description>{{ $options.i18n.settingsBlock.description }}</template>
+    <template #description>
+      <gl-sprintf :message="$options.i18n.settingsBlock.description">
+        <template #link="{ content }">
+          <help-page-link href="user/organization/_index.md" target="_blank">{{
+            content
+          }}</help-page-link>
+        </template>
+      </gl-sprintf>
+    </template>
     <template #default>
       <form-errors-alert v-model="errors" :scroll-on-error="true" />
       <new-edit-form
diff --git a/app/assets/javascripts/projects/components/new_edit_form.vue b/app/assets/javascripts/projects/components/new_edit_form.vue
index 4a6146e2f24..88cde7aba17 100644
--- a/app/assets/javascripts/projects/components/new_edit_form.vue
+++ b/app/assets/javascripts/projects/components/new_edit_form.vue
@@ -85,7 +85,7 @@ export default {
           },
           inputAttrs: {
             class: 'gl-md-form-input-lg',
-            placeholder: s__('ProjectsNewEdit|My awesome project'),
+            placeholder: s__('ProjectsNewEdit|My project'),
           },
         },
         [FORM_FIELD_ID]: {
diff --git a/app/assets/javascripts/projects/new_v2/components/shared_project_creation_fields.vue b/app/assets/javascripts/projects/new_v2/components/shared_project_creation_fields.vue
index 6def6f74db2..ce3dd12e0b1 100644
--- a/app/assets/javascripts/projects/new_v2/components/shared_project_creation_fields.vue
+++ b/app/assets/javascripts/projects/new_v2/components/shared_project_creation_fields.vue
@@ -141,7 +141,7 @@ export default {
         :state="form.fields['project[name]'].state"
         name="project[name]"
         required
-        :placeholder="s__('ProjectsNew|My awesome project')"
+        :placeholder="s__('ProjectsNew|My project')"
         data-testid="project-name-input"
         @input="updateSlug"
       />
diff --git a/app/assets/javascripts/search/results/components/blob_header.vue b/app/assets/javascripts/search/results/components/blob_header.vue
index 3698703ea01..e2d8c11cbe5 100644
--- a/app/assets/javascripts/search/results/components/blob_header.vue
+++ b/app/assets/javascripts/search/results/components/blob_header.vue
@@ -2,6 +2,7 @@
 import { GlLink, GlLabel } from '@gitlab/ui';
 // eslint-disable-next-line no-restricted-imports
 import { mapState } from 'vuex';
+import { sanitize } from '~/lib/dompurify';
 import GlSafeHtmlDirective from '~/vue_shared/directives/safe_html';
 import ClipboardButton from '~/vue_shared/components/clipboard_button.vue';
 import FileIcon from '~/vue_shared/components/file_icon.vue';
@@ -58,19 +59,21 @@ export default {
   computed: {
     ...mapState(['query']),
     gfmCopyText() {
-      return `\`${this.filePath}\``;
+      return `\`${this.purePath(this.filePath)}\``;
     },
     highlightedFilePath() {
+      const cleanFilePath = this.purePath(this.filePath);
+
       if (!this?.query?.search) {
-        return this.filePath;
+        return cleanFilePath;
       }
 
       if (containsPotentialRegex(this.query.search)) {
-        return this.filePath;
+        return cleanFilePath;
       }
 
       const regex = new RegExp(`(${this.query.search})`, 'g');
-      return this.filePath.replace(
+      return cleanFilePath.replace(
         regex,
         (match, p1) =>
           `<span class="highlight-search-term ${this.systemMatchCodeTheme}">${p1}</span>`,
@@ -93,6 +96,9 @@ export default {
     trackHeaderClick() {
       this.trackEvent(EVENT_CLICK_HEADER_LINK);
     },
+    purePath(path) {
+      return sanitize(path, { ALLOWED_TAGS: [] });
+    },
   },
   DEFAULT_HEADER_LABEL_COLOR,
 };
diff --git a/app/assets/javascripts/work_items/components/create_work_item.vue b/app/assets/javascripts/work_items/components/create_work_item.vue
index 8007515c353..ba231f70ca7 100644
--- a/app/assets/javascripts/work_items/components/create_work_item.vue
+++ b/app/assets/javascripts/work_items/components/create_work_item.vue
@@ -287,14 +287,16 @@ export default {
           });
         }
 
-        const selectedWorkItemType = this.workItemTypes?.find(
-          (workItemType) => workItemType.name === this.preselectedWorkItemType,
-        );
+        const selectedWorkItemType = this.findWorkItemType(this.preselectedWorkItemType);
 
         if (selectedWorkItemType) {
           this.selectedWorkItemTypeId = selectedWorkItemType?.id;
         } else {
           this.showWorkItemTypeSelect = true;
+          const defaultSelectedWorkItemType =
+            this.findWorkItemType(WORK_ITEM_TYPE_NAME_ISSUE) || this.workItemTypes?.at(0);
+          this.selectedWorkItemTypeId = defaultSelectedWorkItemType?.id;
+          this.$emit('changeType', defaultSelectedWorkItemType);
         }
       },
       error() {
@@ -606,6 +608,9 @@ export default {
     document.removeEventListener('keydown', this.handleKeydown);
   },
   methods: {
+    findWorkItemType(workItemTypeName) {
+      return this.workItemTypes?.find((workItemType) => workItemType.name === workItemTypeName);
+    },
     initialSelectedProject() {
       if (this.relatedItem) {
         return this.relatedItem.reference.substring(0, this.relatedItem.reference.lastIndexOf('#'));
@@ -913,12 +918,14 @@ export default {
             v-if="showProjectSelector"
             class="gl-max-w-26 gl-flex-grow"
             :label="__('Project')"
+            label-for="create-work-item-project"
           >
             <work-item-projects-listbox
               v-model="selectedProjectFullPath"
               :full-path="fullPath"
               :is-group="isGroup"
               :current-project-name="namespaceFullName"
+              toggle-id="create-work-item-project"
             />
           </gl-form-group>
         </template>
diff --git a/app/assets/javascripts/work_items/components/shared/work_item_namespace_listbox.vue b/app/assets/javascripts/work_items/components/shared/work_item_namespace_listbox.vue
index dda54e4bca2..ddd392d8125 100644
--- a/app/assets/javascripts/work_items/components/shared/work_item_namespace_listbox.vue
+++ b/app/assets/javascripts/work_items/components/shared/work_item_namespace_listbox.vue
@@ -52,7 +52,6 @@ export default {
         return {
           fullPath: this.rootPath,
           projectSearch: this.searchKey,
-          includeArchived: false,
         };
       },
       update(data) {
diff --git a/app/assets/javascripts/work_items/components/work_item_breadcrumb.vue b/app/assets/javascripts/work_items/components/work_item_breadcrumb.vue
index 8f676492153..8a1e5f8e841 100644
--- a/app/assets/javascripts/work_items/components/work_item_breadcrumb.vue
+++ b/app/assets/javascripts/work_items/components/work_item_breadcrumb.vue
@@ -47,7 +47,7 @@ export default {
         return __('Epics');
       }
 
-      return this.isGroup ? s__('WorkItem|Work items') : __('Issues');
+      return __('Issues');
     },
     issueAsWorkItem() {
       return (
diff --git a/app/assets/javascripts/work_items/components/work_item_links/work_item_projects_listbox.vue b/app/assets/javascripts/work_items/components/work_item_links/work_item_projects_listbox.vue
index adbfb44e902..3029d70e197 100644
--- a/app/assets/javascripts/work_items/components/work_item_links/work_item_projects_listbox.vue
+++ b/app/assets/javascripts/work_items/components/work_item_links/work_item_projects_listbox.vue
@@ -39,6 +39,11 @@ export default {
       type: String,
       default: null,
     },
+    toggleId: {
+      type: String,
+      required: false,
+      default: undefined,
+    },
   },
   data() {
     return {
@@ -57,14 +62,15 @@ export default {
         return {
           fullPath: this.fullPath,
           projectSearch: this.searchKey,
-          includeArchived: false,
         };
       },
       update(data) {
         return data.namespace?.projects?.nodes;
       },
       result() {
-        this.selectedProject = this.findSelectedProject(this.selectedProjectFullPath);
+        this.selectedProject =
+          this.findSelectedProject(this.selectedProjectFullPath) || this.projects?.at(0);
+        this.$emit('selectProject', this.selectedProject?.fullPath);
       },
     },
   },
@@ -78,7 +84,7 @@ export default {
          * name_with_namespace doesn't exist. Therefore we rely on
          * namespace directly.
          * */
-        return this.selectedProject.nameWithNamespace || this.selectedProject.namespace;
+        return this.selectedProject.name || this.selectedProject.namespace;
       }
       return this.selectedProjectFullPath && this.currentProjectName
         ? this.currentProjectName
@@ -213,6 +219,7 @@ export default {
     is-check-centered
     :items="listItems"
     :selected="selectedProjectFullPath"
+    :toggle-id="toggleId"
     :toggle-text="dropdownToggleText"
     :searching="projectsLoading"
     fluid-width
diff --git a/app/assets/javascripts/work_items/graphql/namespace_projects_for_links_widget.query.graphql b/app/assets/javascripts/work_items/graphql/namespace_projects_for_links_widget.query.graphql
index 4c6e1064a73..d495946137f 100644
--- a/app/assets/javascripts/work_items/graphql/namespace_projects_for_links_widget.query.graphql
+++ b/app/assets/javascripts/work_items/graphql/namespace_projects_for_links_widget.query.graphql
@@ -1,8 +1,4 @@
-query namespaceProjectsForLinksWidget(
-  $fullPath: ID!
-  $projectSearch: String
-  $includeArchived: Boolean = false
-) {
+query namespaceProjectsForLinksWidget($fullPath: ID!, $projectSearch: String) {
   namespace(fullPath: $fullPath) {
     id
     projects(
@@ -10,7 +6,8 @@ query namespaceProjectsForLinksWidget(
       includeSubgroups: true
       includeSiblingProjects: true
       sort: ACTIVITY_DESC
-      includeArchived: $includeArchived
+      includeArchived: false
+      withIssuesEnabled: true
     ) {
       nodes {
         id
diff --git a/app/assets/javascripts/work_items/index.js b/app/assets/javascripts/work_items/index.js
index 6077cbaa35f..008f5e2a4b2 100644
--- a/app/assets/javascripts/work_items/index.js
+++ b/app/assets/javascripts/work_items/index.js
@@ -11,11 +11,12 @@ import { apolloProvider } from '~/graphql_shared/issuable_client';
 import App from './components/app.vue';
 import WorkItemBreadcrumb from './components/work_item_breadcrumb.vue';
 import activeDiscussionQuery from './components/design_management/graphql/client/active_design_discussion.query.graphql';
+import { WORK_ITEM_TYPE_NAME_EPIC } from './constants';
 import { createRouter } from './router';
 
 Vue.use(VueApollo);
 
-export const initWorkItemsRoot = ({ workspaceType, withTabs } = {}) => {
+export const initWorkItemsRoot = ({ workItemType, workspaceType, withTabs } = {}) => {
   const el = document.querySelector('#js-work-items');
 
   if (!el) {
@@ -46,7 +47,6 @@ export const initWorkItemsRoot = ({ workspaceType, withTabs } = {}) => {
     defaultBranch,
     initialSort,
     isSignedIn,
-    workItemType,
     hasEpicsFeature,
     showNewWorkItem,
     canCreateEpic,
@@ -71,7 +71,7 @@ export const initWorkItemsRoot = ({ workspaceType, withTabs } = {}) => {
 
   const breadcrumbParams = { workItemType, isGroup };
 
-  if (isGroup) {
+  if (workItemType === WORK_ITEM_TYPE_NAME_EPIC) {
     listPath = epicsListPath;
     breadcrumbParams.listPath = epicsListPath;
   } else {
diff --git a/app/assets/javascripts/work_items/pages/create_work_item.vue b/app/assets/javascripts/work_items/pages/create_work_item.vue
index 96be40d5e5d..2df381674da 100644
--- a/app/assets/javascripts/work_items/pages/create_work_item.vue
+++ b/app/assets/javascripts/work_items/pages/create_work_item.vue
@@ -8,8 +8,9 @@ import {
   ROUTES,
   RELATED_ITEM_ID_URL_QUERY_PARAM,
   BASE_ALLOWED_CREATE_TYPES,
-  WORK_ITEM_TYPE_NAME_ISSUE,
+  WORK_ITEM_TYPE_NAME_EPIC,
   WORK_ITEM_TYPE_NAME_INCIDENT,
+  WORK_ITEM_TYPE_NAME_ISSUE,
   WORK_ITEM_TYPE_NAME_TASK,
 } from '../constants';
 import workItemRelatedItemQuery from '../graphql/work_item_related_item.query.graphql';
@@ -74,6 +75,9 @@ export default {
     },
   },
   computed: {
+    isEpic() {
+      return this.workItemType === WORK_ITEM_TYPE_NAME_EPIC;
+    },
     isIncident() {
       return this.workItemType === WORK_ITEM_TYPE_NAME_INCIDENT;
     },
@@ -90,13 +94,16 @@ export default {
 
       return [];
     },
+    isNewGroupWorkItem() {
+      return !this.isEpic && this.isGroup;
+    },
   },
   methods: {
     updateWorkItemType(type) {
       this.workItemType = type;
     },
     workItemCreated({ workItem, numberOfDiscussionsResolved }) {
-      if (this.$router && !this.isIncident) {
+      if (this.$router && !this.isIncident && !this.isNewGroupWorkItem) {
         const routerPushObject = {
           name: ROUTES.workItem,
           params: { iid: workItem.iid },
@@ -159,7 +166,8 @@ export default {
       :is-group="isGroup"
       :related-item="relatedItem"
       :should-discard-draft="shouldDiscardDraft"
-      :always-show-work-item-type-select="!isGroup"
+      :always-show-work-item-type-select="!isEpic"
+      :show-project-selector="isNewGroupWorkItem"
       :allowed-work-item-types="allowedWorkItemTypes"
       @updateType="updateWorkItemType($event)"
       @confirmCancel="handleConfirmCancellation"
diff --git a/app/components/rapid_diffs/diff_file_component.rb b/app/components/rapid_diffs/diff_file_component.rb
index 6d49ba10370..c51e3b3bfea 100644
--- a/app/components/rapid_diffs/diff_file_component.rb
+++ b/app/components/rapid_diffs/diff_file_component.rb
@@ -26,7 +26,7 @@ module RapidDiffs
     end
 
     def viewer_component
-      return Viewers::NoPreviewComponent if empty_diff?
+      return Viewers::NoPreviewComponent if @diff_file.no_preview?
 
       if @diff_file.diffable_text?
         return Viewers::Text::ParallelViewComponent if @parallel_view
@@ -39,16 +39,12 @@ module RapidDiffs
       Viewers::NoPreviewComponent
     end
 
-    def empty_diff?
-      @diff_file.collapsed? || !@diff_file.modified_file?
-    end
-
     def default_header
       render RapidDiffs::DiffFileHeaderComponent.new(diff_file: @diff_file)
     end
 
     def total_rows
-      return 0 unless !empty_diff? && @diff_file.diffable_text?
+      return 0 unless !@diff_file.no_preview? && @diff_file.diffable_text?
 
       count = 0
       @diff_file.viewer_hunks.each do |hunk|
diff --git a/app/controllers/concerns/rapid_diffs/streaming_resource.rb b/app/controllers/concerns/rapid_diffs/streaming_resource.rb
index eec04a06d51..01763c43d2b 100644
--- a/app/controllers/concerns/rapid_diffs/streaming_resource.rb
+++ b/app/controllers/concerns/rapid_diffs/streaming_resource.rb
@@ -74,34 +74,36 @@ module RapidDiffs
 
       return render_empty_state if diff_files.empty?
 
-      each_growing_slice(diff_files, 5, 2) do |slice|
-        response.stream.write(render_diff_files_collection(slice, view_context))
+      skipped = []
+      diff_files.each do |diff_file|
+        if diff_file.no_preview?
+          skipped << diff_file
+        else
+          unless skipped.empty?
+            response.stream.write(diff_files_collection(skipped).render_in(view_context))
+            skipped = []
+          end
+
+          response.stream.write(diff_file_component(diff_file).render_in(view_context))
+        end
       end
+
+      response.stream.write(diff_files_collection(skipped).render_in(view_context)) unless skipped.empty?
     end
 
-    def each_growing_slice(collection, initial_size, growth_factor = 2)
-      position = 0
-      size = initial_size
-      total = collection.size
-
-      while position < total
-        yield collection.drop(position).first(size)
-
-        position = [position + size, total].min
-        size = (size * growth_factor).to_i
-      end
+    def diff_file_component(diff_file)
+      ::RapidDiffs::DiffFileComponent.new(diff_file: diff_file, parallel_view: view == :parallel)
     end
 
-    def render_diff_files_collection(diff_files, view_context)
+    def diff_files_collection(diff_files)
       ::RapidDiffs::DiffFileComponent.with_collection(diff_files, parallel_view: view == :parallel)
-        .render_in(view_context)
     end
 
     def stream_diff_blobs(options, view_context)
       return render_empty_state if resource.diffs_for_streaming(options).count == 0
 
       resource.diffs_for_streaming(options) do |diff_files_batch|
-        response.stream.write(render_diff_files_collection(diff_files_batch, view_context))
+        response.stream.write(diff_files_collection(diff_files_batch).render_in(view_context))
       end
     end
 
diff --git a/app/controllers/glql/base_controller.rb b/app/controllers/glql/base_controller.rb
index 63025a98bc2..89d8062f269 100644
--- a/app/controllers/glql/base_controller.rb
+++ b/app/controllers/glql/base_controller.rb
@@ -54,7 +54,9 @@ module Glql
     end
 
     def logs
-      super.map do |log|
+      graphql_logs = super.presence || [{}]
+
+      graphql_logs.map do |log|
         log.merge(
           glql_referer: request.headers["Referer"],
           glql_query_sha: query_sha
diff --git a/app/controllers/groups/uploads_controller.rb b/app/controllers/groups/uploads_controller.rb
index a5de78aa5e6..b77d9ade8f8 100644
--- a/app/controllers/groups/uploads_controller.rb
+++ b/app/controllers/groups/uploads_controller.rb
@@ -11,7 +11,6 @@ class Groups::UploadsController < Groups::ApplicationController
   before_action :disallow_new_uploads!, only: :show
 
   feature_category :portfolio_management
-  urgency :low, [:show]
 
   private
 
diff --git a/app/controllers/groups/work_items_controller.rb b/app/controllers/groups/work_items_controller.rb
index b60a2d07e09..8f7413d6782 100644
--- a/app/controllers/groups/work_items_controller.rb
+++ b/app/controllers/groups/work_items_controller.rb
@@ -37,11 +37,9 @@ module Groups
     def handle_new_work_item_path
       return unless show_params[:iid] == 'new'
 
-      if group.supports_group_work_items?
-        render :show
-      else
-        not_found
-      end
+      authenticate_user!
+
+      render :show
     end
 
     def show_params
diff --git a/app/controllers/projects/issues_controller.rb b/app/controllers/projects/issues_controller.rb
index 63d7b331e1d..e703c46ec09 100644
--- a/app/controllers/projects/issues_controller.rb
+++ b/app/controllers/projects/issues_controller.rb
@@ -88,8 +88,7 @@ class Projects::IssuesController < Projects::ApplicationController
     :can_create_branch, :create_merge_request
   ]
   urgency :low, [
-    :index, :calendar, :show, :new, :create, :edit, :update,
-    :destroy, :move, :reorder, :designs, :toggle_subscription,
+    :index, :calendar, :show, :new, :update, :move, :reorder, :designs, :toggle_subscription,
     :discussions, :bulk_update, :realtime_changes,
     :toggle_award_emoji, :mark_as_spam, :related_branches,
     :can_create_branch, :create_merge_request
diff --git a/app/controllers/projects/merge_requests/diffs_stream_controller.rb b/app/controllers/projects/merge_requests/diffs_stream_controller.rb
index 32af9c5421a..22a5f2562ee 100644
--- a/app/controllers/projects/merge_requests/diffs_stream_controller.rb
+++ b/app/controllers/projects/merge_requests/diffs_stream_controller.rb
@@ -11,10 +11,14 @@ module Projects
         @merge_request
       end
 
-      def render_diff_files_collection(diff_files, view_context)
+      def diff_file_component(diff_file)
+        ::RapidDiffs::MergeRequestDiffFileComponent
+          .new(diff_file: diff_file, merge_request: @merge_request, parallel_view: view == :parallel)
+      end
+
+      def diff_files_collection(diff_files)
         ::RapidDiffs::MergeRequestDiffFileComponent
           .with_collection(diff_files, merge_request: @merge_request, parallel_view: view == :parallel)
-          .render_in(view_context)
       end
 
       def sorted?
diff --git a/app/controllers/projects_controller.rb b/app/controllers/projects_controller.rb
index b9a2c1272ec..123efdb3b11 100644
--- a/app/controllers/projects_controller.rb
+++ b/app/controllers/projects_controller.rb
@@ -603,13 +603,16 @@ class ProjectsController < Projects::ApplicationController
   def redirect_git_extension
     return unless params[:format] == 'git'
 
+    git_extension_regex = %r{\.git/?\Z}
+    return unless request.path.match?(git_extension_regex)
+
     # `project` calls `find_routable!`, so this will trigger the usual not-found
     # behaviour when the user isn't authorized to see the project
     return if project.nil? || performed?
 
     uri = URI(request.original_url)
     # Strip the '.git' part from the path
-    uri.path = uri.path.sub(%r{\.git/?\Z}, '')
+    uri.path = uri.path.sub(git_extension_regex, '')
 
     redirect_to(uri.to_s)
   end
diff --git a/app/graphql/mutations/alert_management/http_integration/create.rb b/app/graphql/mutations/alert_management/http_integration/create.rb
index f1842d88fc3..2ce3401823c 100644
--- a/app/graphql/mutations/alert_management/http_integration/create.rb
+++ b/app/graphql/mutations/alert_management/http_integration/create.rb
@@ -16,6 +16,13 @@ module Mutations
           required: true,
           description: 'Name of the integration.'
 
+        argument :type, Types::AlertManagement::IntegrationTypeEnum,
+          as: :type_identifier,
+          required: false,
+          default_value: :http,
+          replace_null_with_default: true,
+          description: 'Type of integration to create. Cannot be changed after creation.'
+
         argument :active, GraphQL::Types::Boolean,
           required: true,
           description: 'Whether the integration is receiving alerts.'
diff --git a/app/graphql/mutations/alert_management/http_integration/http_integration_base.rb b/app/graphql/mutations/alert_management/http_integration/http_integration_base.rb
index f23b6d2bc67..3837d5399ba 100644
--- a/app/graphql/mutations/alert_management/http_integration/http_integration_base.rb
+++ b/app/graphql/mutations/alert_management/http_integration/http_integration_base.rb
@@ -7,7 +7,7 @@ module Mutations
         field :integration,
           Types::AlertManagement::HttpIntegrationType,
           null: true,
-          description: "HTTP integration."
+          description: "Alerting integration."
 
         authorize :admin_operations
 
@@ -22,7 +22,7 @@ module Mutations
 
         # overriden in EE
         def http_integration_params(_project, args)
-          args.slice(:name, :active)
+          args.slice(:name, :active, :type_identifier)
         end
       end
     end
diff --git a/app/helpers/application_settings_helper.rb b/app/helpers/application_settings_helper.rb
index 2df80297d7e..83083f66450 100644
--- a/app/helpers/application_settings_helper.rb
+++ b/app/helpers/application_settings_helper.rb
@@ -377,6 +377,8 @@ module ApplicationSettingsHelper
       :max_export_size,
       :max_github_response_size_limit,
       :max_github_response_json_value_count,
+      :max_http_decompressed_size,
+      :max_http_response_size_limit,
       :max_import_size,
       :max_import_remote_file_size,
       :max_login_attempts,
diff --git a/app/models/application_setting.rb b/app/models/application_setting.rb
index 5dea05c9b13..f4bd488d531 100644
--- a/app/models/application_setting.rb
+++ b/app/models/application_setting.rb
@@ -655,6 +655,8 @@ class ApplicationSetting < ApplicationRecord
       :max_export_size,
       :max_github_response_size_limit,
       :max_github_response_json_value_count,
+      :max_http_decompressed_size,
+      :max_http_response_size_limit,
       :max_import_remote_file_size,
       :max_import_size,
       :max_pages_custom_domains_per_project,
@@ -706,6 +708,8 @@ class ApplicationSetting < ApplicationRecord
   validates :clickhouse, json_schema: { filename: "application_setting_clickhouse" }
 
   jsonb_accessor :response_limits,
+    max_http_response_size_limit: [:integer, { default: 100 }],
+    max_http_decompressed_size: [:integer, { default: 100 }],
     max_github_response_size_limit: [:integer, { default: 8 }],
     max_github_response_json_value_count: [:integer, { default: 250_000 }]
 
diff --git a/app/models/application_setting_implementation.rb b/app/models/application_setting_implementation.rb
index e4de7f61569..b955ff22373 100644
--- a/app/models/application_setting_implementation.rb
+++ b/app/models/application_setting_implementation.rb
@@ -142,6 +142,8 @@ module ApplicationSettingImplementation
         max_export_size: 0,
         max_github_response_size_limit: 8,
         max_github_response_json_value_count: 250_000,
+        max_http_decompressed_size: 100,
+        max_http_response_size_limit: 100,
         max_import_size: 0,
         max_import_remote_file_size: 10240,
         max_login_attempts: nil,
diff --git a/app/models/board.rb b/app/models/board.rb
index e407ffe582f..d98b43164fb 100644
--- a/app/models/board.rb
+++ b/app/models/board.rb
@@ -11,7 +11,7 @@ class Board < ApplicationRecord
   has_many :lists, -> { ordered }, dependent: :delete_all, inverse_of: :board # rubocop:disable Cop/ActiveRecordDependent
   has_many :destroyable_lists, -> { destroyable.ordered }, class_name: "List", inverse_of: :board
 
-  validates :name, presence: true
+  validates :name, presence: true, length: { maximum: 255, if: :name_changed? }
   validates :project, presence: true, if: :project_needed?
   validates :group, presence: true, unless: :project
   validates :group, absence: {
diff --git a/app/models/concerns/integrations/base/asana.rb b/app/models/concerns/integrations/base/asana.rb
index 4b7066069a9..562a75857a0 100644
--- a/app/models/concerns/integrations/base/asana.rb
+++ b/app/models/concerns/integrations/base/asana.rb
@@ -112,7 +112,7 @@ module Integrations
 
           begin
             story_on_task_url = format(STORY_URL_TEMPLATE, task_gid: task_id)
-            Gitlab::HTTP.post(
+            Clients::HTTP.post(
               story_on_task_url,
               headers: { "Authorization" => "Bearer #{api_key}" },
               body: { text: "#{push_msg} #{message}" }
@@ -120,7 +120,8 @@ module Integrations
 
             if prepended_text.match?(proceded_keyword_finder)
               task_url = format(TASK_URL_TEMPLATE, task_gid: task_id)
-              Gitlab::HTTP.put(task_url, headers: { "Authorization" => "Bearer #{api_key}" }, body: { completed: true })
+              Clients::HTTP.put(task_url, headers: { "Authorization" => "Bearer #{api_key}" },
+                body: { completed: true })
             end
           rescue StandardError => e
             log_error(e.message)
@@ -130,7 +131,7 @@ module Integrations
       end
 
       def test(_)
-        result = Gitlab::HTTP.get(PERSONAL_ACCESS_TOKEN_TEST_URL, headers: { "Authorization" => "Bearer #{api_key}" })
+        result = Clients::HTTP.get(PERSONAL_ACCESS_TOKEN_TEST_URL, headers: { "Authorization" => "Bearer #{api_key}" })
 
         if result.success?
           { success: true }
diff --git a/app/models/concerns/integrations/base/assembla.rb b/app/models/concerns/integrations/base/assembla.rb
index ef98cf8951a..b10fcbf92f5 100644
--- a/app/models/concerns/integrations/base/assembla.rb
+++ b/app/models/concerns/integrations/base/assembla.rb
@@ -46,7 +46,7 @@ module Integrations
         url = "https://atlas.assembla.com/spaces/#{URI.encode_www_form_component(subdomain)}/github_tool?secret_key=#{URI.encode_www_form_component(token)}"
         body = { payload: data }
 
-        Gitlab::HTTP.post(
+        Clients::HTTP.post(
           url,
           body: Gitlab::Json.dump(body),
           headers: { 'Content-Type' => 'application/json' }
diff --git a/app/models/concerns/integrations/base/bamboo.rb b/app/models/concerns/integrations/base/bamboo.rb
index 7b7d4cd4da1..4ca303374c1 100644
--- a/app/models/concerns/integrations/base/bamboo.rb
+++ b/app/models/concerns/integrations/base/bamboo.rb
@@ -154,11 +154,11 @@ module Integrations
         params = build_get_params(query_params)
         params[:extra_log_info] = { project_id: project_id }
 
-        Gitlab::HTTP.try_get(build_url(path), params)
+        Clients::HTTP.try_get(build_url(path), params)
       end
 
       def get_path(path, query_params = {})
-        Gitlab::HTTP.get(build_url(path), build_get_params(query_params))
+        Clients::HTTP.get(build_url(path), build_get_params(query_params))
       end
 
       def build_url(path)
diff --git a/app/models/concerns/integrations/base/external_wiki.rb b/app/models/concerns/integrations/base/external_wiki.rb
index a34a1a93475..4fad4c82044 100644
--- a/app/models/concerns/integrations/base/external_wiki.rb
+++ b/app/models/concerns/integrations/base/external_wiki.rb
@@ -54,7 +54,7 @@ module Integrations
       end
 
       def execute(_data)
-        response = Gitlab::HTTP.get(properties['external_wiki_url'], verify: true)
+        response = Clients::HTTP.get(properties['external_wiki_url'], verify: true)
         response.body if response.code == 200
       rescue StandardError
         nil
diff --git a/app/models/concerns/integrations/base/hangouts_chat.rb b/app/models/concerns/integrations/base/hangouts_chat.rb
index 8fe463e52e8..577738522ab 100644
--- a/app/models/concerns/integrations/base/hangouts_chat.rb
+++ b/app/models/concerns/integrations/base/hangouts_chat.rb
@@ -69,7 +69,7 @@ module Integrations
           key = parse_thread_key(message)
           payload = { text: parse_simple_text_message(message), thread: { threadKey: key }.compact }.compact_blank!
 
-          Gitlab::HTTP.post(
+          Clients::HTTP.post(
             url,
             body: payload.to_json,
             headers: { 'Content-Type' => 'application/json' },
diff --git a/app/models/concerns/integrations/base/issue_tracker.rb b/app/models/concerns/integrations/base/issue_tracker.rb
index d09acef98b9..1f8e0cab29f 100644
--- a/app/models/concerns/integrations/base/issue_tracker.rb
+++ b/app/models/concerns/integrations/base/issue_tracker.rb
@@ -106,7 +106,7 @@ module Integrations
         result = false
 
         begin
-          response = Gitlab::HTTP.head(project_url, verify: true)
+          response = Clients::HTTP.head(project_url, verify: true)
 
           if response
             message = "#{type} received response #{response.code} when attempting to connect to #{project_url}"
diff --git a/app/models/concerns/integrations/base/mock_ci.rb b/app/models/concerns/integrations/base/mock_ci.rb
index 8c76b319b80..c1dd4f9806f 100644
--- a/app/models/concerns/integrations/base/mock_ci.rb
+++ b/app/models/concerns/integrations/base/mock_ci.rb
@@ -56,7 +56,7 @@ module Integrations
         #   # => 'running'
         #
         def commit_status(sha, _ref)
-          response = Gitlab::HTTP.get(commit_status_path(sha), verify: enable_ssl_verification)
+          response = Clients::HTTP.get(commit_status_path(sha), verify: enable_ssl_verification)
           read_commit_status(response)
         rescue Errno::ECONNREFUSED
           :error
diff --git a/app/models/concerns/integrations/base/pivotaltracker.rb b/app/models/concerns/integrations/base/pivotaltracker.rb
index 85dc61e4d4e..895a1189cf4 100644
--- a/app/models/concerns/integrations/base/pivotaltracker.rb
+++ b/app/models/concerns/integrations/base/pivotaltracker.rb
@@ -66,7 +66,7 @@ module Integrations
                 'message' => commit[:message]
               }
             }
-            Gitlab::HTTP.post(
+            Clients::HTTP.post(
               API_ENDPOINT,
               body: Gitlab::Json.dump(message),
               headers: {
diff --git a/app/models/concerns/integrations/base/pumble.rb b/app/models/concerns/integrations/base/pumble.rb
index 942f8a85081..e44aa18c8b9 100644
--- a/app/models/concerns/integrations/base/pumble.rb
+++ b/app/models/concerns/integrations/base/pumble.rb
@@ -62,7 +62,7 @@ module Integrations
 
         def notify(message, _opts)
           header = { 'Content-Type' => 'application/json' }
-          response = Gitlab::HTTP.post(webhook, headers: header, body: Gitlab::Json.dump({ text: message.summary }))
+          response = Clients::HTTP.post(webhook, headers: header, body: Gitlab::Json.dump({ text: message.summary }))
 
           response if response.success?
         end
diff --git a/app/models/concerns/integrations/base/pushover.rb b/app/models/concerns/integrations/base/pushover.rb
index ac12dd1fc5c..f1a63d5c553 100644
--- a/app/models/concerns/integrations/base/pushover.rb
+++ b/app/models/concerns/integrations/base/pushover.rb
@@ -154,7 +154,7 @@ module Integrations
           # Sound parameter MUST NOT be sent to API if not selected
           pushover_data[:sound] = sound if sound
 
-          Gitlab::HTTP.post('/messages.json', base_uri: BASE_URI, body: pushover_data)
+          Clients::HTTP.post('/messages.json', base_uri: BASE_URI, body: pushover_data)
         end
       end
     end
diff --git a/app/models/concerns/integrations/base/teamcity.rb b/app/models/concerns/integrations/base/teamcity.rb
index 49d43f55f1e..b8ae76d814c 100644
--- a/app/models/concerns/integrations/base/teamcity.rb
+++ b/app/models/concerns/integrations/base/teamcity.rb
@@ -167,7 +167,7 @@ module Integrations
       end
 
       def get_path(path)
-        Gitlab::HTTP.try_get(
+        Clients::HTTP.try_get(
           build_url(path),
           verify: enable_ssl_verification,
           basic_auth: basic_auth,
@@ -176,7 +176,7 @@ module Integrations
       end
 
       def post_to_build_queue(_data, branch)
-        Gitlab::HTTP.post(
+        Clients::HTTP.post(
           build_url('httpAuth/app/rest/buildQueue'),
           body: "<build branchName=#{branch.encode(xml: :attr)}>" \
             "<buildType id=#{build_type.encode(xml: :attr)}/>" \
diff --git a/app/models/concerns/integrations/base/telegram.rb b/app/models/concerns/integrations/base/telegram.rb
index c68cf19a79f..141b62084f0 100644
--- a/app/models/concerns/integrations/base/telegram.rb
+++ b/app/models/concerns/integrations/base/telegram.rb
@@ -113,13 +113,13 @@ module Integrations
           }.compact_blank
 
           header = { 'Content-Type' => 'application/json' }
-          response = Gitlab::HTTP.post(webhook, headers: header, body: Gitlab::Json.dump(body))
+          response = Clients::HTTP.post(webhook, headers: header, body: Gitlab::Json.dump(body))
 
           # We're retrying the request with a different format to ensure accurate formatting and
           # avoid receiving a 400 response due to invalid markdown.
           if response.bad_request?
             body.except!(:parse_mode)
-            response = Gitlab::HTTP.post(webhook, headers: header, body: Gitlab::Json.dump(body))
+            response = Clients::HTTP.post(webhook, headers: header, body: Gitlab::Json.dump(body))
           end
 
           response if response.success?
diff --git a/app/models/concerns/integrations/base/unify_circuit.rb b/app/models/concerns/integrations/base/unify_circuit.rb
index 504985e281c..97c4ecf6ba8 100644
--- a/app/models/concerns/integrations/base/unify_circuit.rb
+++ b/app/models/concerns/integrations/base/unify_circuit.rb
@@ -64,7 +64,7 @@ module Integrations
             markdown: true
           }
 
-          response = Gitlab::HTTP.post(webhook, body: Gitlab::Json.dump(body))
+          response = Clients::HTTP.post(webhook, body: Gitlab::Json.dump(body))
 
           response if response.success?
         end
diff --git a/app/models/concerns/integrations/base/webex_teams.rb b/app/models/concerns/integrations/base/webex_teams.rb
index 735c069ce8a..8249cc633e1 100644
--- a/app/models/concerns/integrations/base/webex_teams.rb
+++ b/app/models/concerns/integrations/base/webex_teams.rb
@@ -55,7 +55,8 @@ module Integrations
 
         def notify(message, _opts)
           header = { 'Content-Type' => 'application/json' }
-          response = Gitlab::HTTP.post(webhook, headers: header, body: Gitlab::Json.dump({ markdown: message.summary }))
+          response = Clients::HTTP.post(webhook, headers: header,
+            body: Gitlab::Json.dump({ markdown: message.summary }))
 
           response if response.success?
         end
diff --git a/app/models/concerns/integrations/slack_mattermost_notifier.rb b/app/models/concerns/integrations/slack_mattermost_notifier.rb
index 1ecddc015ab..f2ecb41c940 100644
--- a/app/models/concerns/integrations/slack_mattermost_notifier.rb
+++ b/app/models/concerns/integrations/slack_mattermost_notifier.rb
@@ -34,7 +34,7 @@ module Integrations
     class HTTPClient
       def self.post(uri, params = {})
         params.delete(:http_options) # these are internal to the client and we do not want them
-        Gitlab::HTTP.post(uri, body: params)
+        Clients::HTTP.post(uri, body: params)
       end
     end
   end
diff --git a/app/models/concerns/web_hooks/hook.rb b/app/models/concerns/web_hooks/hook.rb
index d89e1148a43..d57b5b02113 100644
--- a/app/models/concerns/web_hooks/hook.rb
+++ b/app/models/concerns/web_hooks/hook.rb
@@ -7,6 +7,7 @@ module WebHooks
     InterpolationError = Class.new(StandardError)
 
     SECRET_MASK = '************'
+    MAX_PARAM_LENGTH = 8192
 
     # See app/validators/json_schemas/web_hooks_url_variables.json
     VARIABLE_REFERENCE_RE = /\{([A-Za-z]+[0-9]*(?:[._-][A-Za-z0-9]+)*)\}/
@@ -45,9 +46,14 @@ module WebHooks
         encode_iv: false
 
       validates :url, presence: true
-      validates :url, public_url: true, if: ->(hook) { hook.validate_public_url? && !hook.url_variables? }
+      validates :url, length: { maximum: MAX_PARAM_LENGTH }
+      validates :url, public_url: true, if: ->(hook) {
+        # Apply the validation up to the point where the length validation above would make the record invalid.
+        # See https://gitlab.com/gitlab-org/gitlab/-/issues/524020#note_2529307579
+        (hook.url&.length&.<= MAX_PARAM_LENGTH) && hook.validate_public_url? && !hook.url_variables?
+      }
 
-      validates :token, format: { without: /\n/ }
+      validates :token, length: { maximum: MAX_PARAM_LENGTH }, format: { without: /\n/ }
 
       after_initialize :initialize_url_variables
       after_initialize :initialize_custom_headers
diff --git a/app/models/integrations/buildkite.rb b/app/models/integrations/buildkite.rb
index a573422a5a2..b737d7b909b 100644
--- a/app/models/integrations/buildkite.rb
+++ b/app/models/integrations/buildkite.rb
@@ -101,7 +101,7 @@ module Integrations
     end
 
     def calculate_reactive_cache(sha, ref)
-      response = Gitlab::HTTP.try_get(commit_status_path(sha), request_options)
+      response = Clients::HTTP.try_get(commit_status_path(sha), request_options)
 
       status =
         if response&.code == 200 && response['status']
diff --git a/app/models/integrations/campfire.rb b/app/models/integrations/campfire.rb
index 4a0192d5ac5..8f59403b03d 100644
--- a/app/models/integrations/campfire.rb
+++ b/app/models/integrations/campfire.rb
@@ -109,14 +109,14 @@ module Integrations
           }
         }
       }
-      res = Gitlab::HTTP.post(path, base_uri: base_uri, **auth.merge(body))
+      res = Clients::HTTP.post(path, base_uri: base_uri, **auth.merge(body))
       res.code == 201 ? res : nil
     end
 
     # Returns a list of rooms, or [].
     # https://github.com/basecamp/campfire-api/blob/master/sections/rooms.md#get-rooms
     def rooms(auth)
-      res = Gitlab::HTTP.get("/rooms.json", base_uri: base_uri, **auth)
+      res = Clients::HTTP.get("/rooms.json", base_uri: base_uri, **auth)
       res.code == 200 ? res["rooms"] : []
     end
 
diff --git a/app/models/integrations/drone_ci.rb b/app/models/integrations/drone_ci.rb
index d7e7356bb55..27e72b14278 100644
--- a/app/models/integrations/drone_ci.rb
+++ b/app/models/integrations/drone_ci.rb
@@ -61,7 +61,7 @@ module Integrations
     end
 
     def calculate_reactive_cache(sha, ref)
-      response = Gitlab::HTTP.try_get(
+      response = Clients::HTTP.try_get(
         commit_status_path(sha, ref),
         verify: enable_ssl_verification,
         extra_log_info: { project_id: project_id }
diff --git a/app/models/integrations/matrix.rb b/app/models/integrations/matrix.rb
index 1643bd420bf..b1ef8efc104 100644
--- a/app/models/integrations/matrix.rb
+++ b/app/models/integrations/matrix.rb
@@ -105,7 +105,7 @@ module Integrations
       }
       url = URI.parse(webhook)
       url.path << (Time.current.to_f * 1000).round.to_s
-      response = Gitlab::HTTP.put(url, headers: header, body: Gitlab::Json.dump(body))
+      response = Clients::HTTP.put(url, headers: header, body: Gitlab::Json.dump(body))
 
       response if response.success?
     end
diff --git a/app/services/import/gitlab_projects/file_acquisition_strategies/remote_file.rb b/app/services/import/gitlab_projects/file_acquisition_strategies/remote_file.rb
index 609f8207e17..2c5190aee2f 100644
--- a/app/services/import/gitlab_projects/file_acquisition_strategies/remote_file.rb
+++ b/app/services/import/gitlab_projects/file_acquisition_strategies/remote_file.rb
@@ -53,9 +53,9 @@ module Import
         def headers
           return {} if file_url.blank?
 
-          @headers ||= Gitlab::HTTP.head(file_url, timeout: 1.second).headers
+          @headers ||= Clients::HTTP.head(file_url, timeout: 1.second).headers
         rescue StandardError => e
-          errors.add(:base, "Failed to retrive headers: #{e.message}")
+          errors.add(:base, "Failed to retrieve headers: #{e.message}")
 
           {}
         end
diff --git a/app/services/integrations/slack_installation/base_service.rb b/app/services/integrations/slack_installation/base_service.rb
index c9781533cdf..febcb85cc21 100644
--- a/app/services/integrations/slack_installation/base_service.rb
+++ b/app/services/integrations/slack_installation/base_service.rb
@@ -81,7 +81,7 @@ module Integrations
           redirect_uri: redirect_uri
         }
 
-        Gitlab::HTTP.get(SLACK_EXCHANGE_TOKEN_URL, query: query).to_hash
+        Clients::HTTP.get(SLACK_EXCHANGE_TOKEN_URL, query: query).to_hash
       end
 
       # Due to our modelling (mentioned in epic 9418) we create a SlackIntegration record
diff --git a/app/services/integrations/slack_interactions/incident_management/incident_modal_closed_service.rb b/app/services/integrations/slack_interactions/incident_management/incident_modal_closed_service.rb
index 9daa5d76df7..6237c7bb839 100644
--- a/app/services/integrations/slack_interactions/incident_management/incident_modal_closed_service.rb
+++ b/app/services/integrations/slack_interactions/incident_management/incident_modal_closed_service.rb
@@ -39,7 +39,7 @@ module Integrations
           request_body = Gitlab::Json.dump(close_request_body)
           response_url = params.dig(:view, :private_metadata)
 
-          Gitlab::HTTP.post(response_url, body: request_body, headers: headers)
+          Clients::HTTP.post(response_url, body: request_body, headers: headers)
         end
 
         def close_request_body
diff --git a/app/services/integrations/slack_interactions/incident_management/incident_modal_submit_service.rb b/app/services/integrations/slack_interactions/incident_management/incident_modal_submit_service.rb
index e9d86e9228d..ba577089ce9 100644
--- a/app/services/integrations/slack_interactions/incident_management/incident_modal_submit_service.rb
+++ b/app/services/integrations/slack_interactions/incident_management/incident_modal_submit_service.rb
@@ -83,7 +83,7 @@ module Integrations
             text: text
           }
 
-          Gitlab::HTTP.post(
+          Integrations::Clients::HTTP.post(
             response_url,
             body: Gitlab::Json.dump(body),
             headers: { 'Content-Type' => 'application/json' }
diff --git a/app/services/jira_connect_installations/proxy_lifecycle_event_service.rb b/app/services/jira_connect_installations/proxy_lifecycle_event_service.rb
index 9f3b4a37672..eef07046b9c 100644
--- a/app/services/jira_connect_installations/proxy_lifecycle_event_service.rb
+++ b/app/services/jira_connect_installations/proxy_lifecycle_event_service.rb
@@ -41,7 +41,7 @@ module JiraConnectInstallations
     attr_reader :installation, :event
 
     def send_hook
-      Gitlab::HTTP.post(hook_uri, body: body)
+      Integrations::Clients::HTTP.post(hook_uri, body: body)
     end
 
     def hook_uri
diff --git a/app/services/projects/lfs_pointers/lfs_download_link_list_service.rb b/app/services/projects/lfs_pointers/lfs_download_link_list_service.rb
index a87996b70e8..0ca2847a6e1 100644
--- a/app/services/projects/lfs_pointers/lfs_download_link_list_service.rb
+++ b/app/services/projects/lfs_pointers/lfs_download_link_list_service.rb
@@ -51,12 +51,12 @@ module Projects
       end
 
       def download_links_for(oids)
-        response = Gitlab::HTTP.post(remote_uri, body: request_body(oids), headers: headers)
+        response = ::Import::Clients::HTTP.post(remote_uri, body: request_body(oids), headers: headers)
 
         raise DownloadLinksRequestEntityTooLargeError if response.request_entity_too_large?
         raise DownloadLinksError, response.message unless response.success?
 
-        # Since the LFS Batch API may return a Content-Ttpe of
+        # Since the LFS Batch API may return a Content-Type of
         # application/vnd.git-lfs+json
         # (https://github.com/git-lfs/git-lfs/blob/master/docs/api/batch.md#requests),
         # HTTParty does not know this is actually JSON.
diff --git a/app/services/projects/lfs_pointers/lfs_download_service.rb b/app/services/projects/lfs_pointers/lfs_download_service.rb
index 6e1d2df0627..bf0ebe39fb9 100644
--- a/app/services/projects/lfs_pointers/lfs_download_service.rb
+++ b/app/services/projects/lfs_pointers/lfs_download_service.rb
@@ -79,7 +79,10 @@ module Projects
       end
 
       def download_options
-        http_options = { headers: lfs_headers, stream_body: true }
+        # Set accept-encoding to identity to request web servers not to send a compressed response to avoid using too
+        # much memory to decompress the file. In case the response is encoded, the response size will be limited by
+        # `max_http_decompressed_size application` application setting.
+        http_options = { headers: lfs_headers.merge('accept-encoding' => 'identity'), stream_body: true }
 
         return http_options if lfs_download_object.has_authorization_header?
 
diff --git a/app/services/web_hook_service.rb b/app/services/web_hook_service.rb
index 95f780c0577..91babfdfebc 100644
--- a/app/services/web_hook_service.rb
+++ b/app/services/web_hook_service.rb
@@ -149,6 +149,7 @@ class WebHookService
       headers: build_custom_headers.merge(build_headers),
       verify: hook.enable_ssl_verification,
       basic_auth: basic_auth,
+      max_bytes: Gitlab::CurrentSettings.max_http_response_size_limit.megabytes,
       **request_options)
   end
 
diff --git a/app/validators/json_schemas/application_setting_response_limits.json b/app/validators/json_schemas/application_setting_response_limits.json
index 802f12e29ee..fbcd9a8a088 100644
--- a/app/validators/json_schemas/application_setting_response_limits.json
+++ b/app/validators/json_schemas/application_setting_response_limits.json
@@ -13,6 +13,16 @@
       "type": "integer",
       "minimum": 0,
       "description": "Maximum allowed object count for GitHub API responses. Count is an estimate based on the number of : , { and [ occurrences in the response."
+    },
+    "max_http_decompressed_size": {
+      "type": "integer",
+      "minimum": 0,
+      "description": "Maximum allowed size in MB for Gzip-compressed HTTP responses after decompression."
+    },
+    "max_http_response_size_limit": {
+      "type": "integer",
+      "minimum": 0,
+      "description": "Maximum allowed size in MB for HTTP responses."
     }
   }
 }
diff --git a/app/views/admin/labels/index.html.haml b/app/views/admin/labels/index.html.haml
index 5989f628096..1d9627f365e 100644
--- a/app/views/admin/labels/index.html.haml
+++ b/app/views/admin/labels/index.html.haml
@@ -2,6 +2,8 @@
 - add_page_specific_style 'page_bundles/labels'
 - page_description = s_('AdminLabels|Labels created here will be automatically added to new projects.')
 
+%h1.gl-sr-only= page_title
+
 %div{ data: { event_tracking_load: 'true', event_tracking: 'view_admin_labels_pageload' } }
 
 - if @labels.present?
diff --git a/app/views/groups/labels/index.html.haml b/app/views/groups/labels/index.html.haml
index 2f2c676b5f4..ff18042f65f 100644
--- a/app/views/groups/labels/index.html.haml
+++ b/app/views/groups/labels/index.html.haml
@@ -5,6 +5,8 @@
 - labels_or_filters = @labels.exists? || search.present? || subscribed.present?
 - add_page_specific_style 'page_bundles/labels'
 
+%h1.gl-sr-only= page_title
+
 - if labels_or_filters
   #js-promote-label-modal
   = render 'shared/labels/nav', labels_or_filters: labels_or_filters, can_admin_label: can_admin_label
diff --git a/app/views/import/shared/_new_project_form.html.haml b/app/views/import/shared/_new_project_form.html.haml
index 4713632f6f0..7d4bfd4c938 100644
--- a/app/views/import/shared/_new_project_form.html.haml
+++ b/app/views/import/shared/_new_project_form.html.haml
@@ -1,7 +1,7 @@
 .row
   .form-group.project-name.col-sm-12
     = label_tag :name, _('Project name'), class: 'label-bold'
-    = text_field_tag :name, @name, placeholder: "My awesome project", class: "js-project-name form-control gl-form-input input-lg", autofocus: true, required: true, aria: { required: true }, data: { testid: 'project-name-field' }
+    = text_field_tag :name, @name, placeholder: s_('ProjectsNew|My project'), class: "js-project-name form-control gl-form-input input-lg", autofocus: true, required: true, aria: { required: true }, data: { testid: 'project-name-field' }
   .form-group.col-12.col-sm-6.gl-pr-0
     = label_tag :namespace_id, _('Project URL'), class: 'label-bold'
     .input-group.gl-flex-nowrap
diff --git a/app/views/projects/_new_project_fields.html.haml b/app/views/projects/_new_project_fields.html.haml
index 8a9b600026b..9afa9ecb6ca 100644
--- a/app/views/projects/_new_project_fields.html.haml
+++ b/app/views/projects/_new_project_fields.html.haml
@@ -10,7 +10,7 @@
   .form-group.gl-form-group.project-name.col-sm-12
     = f.label :name, class: 'label-bold' do
       %span= _("Project name")
-    = f.text_field :name, placeholder: "My awesome project", class: "form-control gl-form-input input-lg", data: { testid: 'project-name', track_label: "#{track_label}", track_action: "activate_form_input", track_property: "project_name", track_value: "" }, required: true, aria: { required: true, describedby: 'js-project-name-description' }
+    = f.text_field :name, placeholder: s_('ProjectsNew|My project'), class: "form-control gl-form-input input-lg", data: { testid: 'project-name', track_label: "#{track_label}", track_action: "activate_form_input", track_property: "project_name", track_value: "" }, required: true, aria: { required: true, describedby: 'js-project-name-description' }
     %small#js-project-name-description.form-text.gl-text-subtle
       = s_("ProjectsNew|Must start with a lowercase or uppercase letter, digit, emoji, or underscore. Can also contain dots, pluses, dashes, or spaces.")
     #js-project-name-error.gl-field-error.gl-mt-2.gl-hidden
diff --git a/app/views/projects/labels/index.html.haml b/app/views/projects/labels/index.html.haml
index 625d90ad856..1e983a761e8 100644
--- a/app/views/projects/labels/index.html.haml
+++ b/app/views/projects/labels/index.html.haml
@@ -5,6 +5,8 @@
 - labels_or_filters = @labels.exists? || @prioritized_labels.exists? || search.present? || subscribed.present?
 - add_page_specific_style 'page_bundles/labels'
 
+%h1.gl-sr-only= page_title
+
 - if labels_or_filters
   #js-promote-label-modal
   = render 'shared/labels/nav', labels_or_filters: labels_or_filters, can_admin_label: can_admin_label
@@ -23,8 +25,8 @@
       body_options: { class: '!gl-m-0' },
       description: _('Drag to reorder prioritized labels and change their relative priority.')) do |c|
       - c.with_body do
-        .js-prioritized-labels.gl-rounded-base.manage-labels-list{ data: { url: set_priorities_project_labels_path(@project), sortable: can_admin_label } }
-          #js-priority-labels-empty-state.priority-labels-empty-state{ class: "#{'hidden' unless @prioritized_labels.empty? && search.blank?}" }
+        %ul.js-prioritized-labels.gl-rounded-base.manage-labels-list{ data: { url: set_priorities_project_labels_path(@project), sortable: can_admin_label } }
+          %li#js-priority-labels-empty-state.priority-labels-empty-state{ class: "#{'hidden' unless @prioritized_labels.empty? && search.blank?}" }
             = render 'shared/empty_states/priority_labels'
           - if @prioritized_labels.any?
             = render partial: 'shared/label', collection: @prioritized_labels, as: :label, locals: { force_priority: true, subject: @project }
@@ -35,7 +37,7 @@
     - if @labels.any?
       = render ::Layouts::CrudComponent.new(hide ? _('Labels') : _('Other labels'), options: { class: 'other-labels' }, count: number_with_delimiter(@labels.total_count), icon: 'label', body_options: { class: '!gl-m-0' }) do |c|
         - c.with_body do
-          .js-other-labels.manage-labels-list
+          %ul.js-other-labels.manage-labels-list
             = render partial: 'shared/label', collection: @labels, as: :label, locals: { subject: @project }
         - c.with_pagination do
           = paginate @labels, theme: 'gitlab'
diff --git a/app/views/shared/empty_states/_priority_labels.html.haml b/app/views/shared/empty_states/_priority_labels.html.haml
index f3f6a5485e5..a3aa247379d 100644
--- a/app/views/shared/empty_states/_priority_labels.html.haml
+++ b/app/views/shared/empty_states/_priority_labels.html.haml
@@ -1,8 +1,8 @@
 .text-center.gl-mt-1.gl-mb-5
   .svg-content{ data: { testid: 'label-svg-content' } }
-    = image_tag 'illustrations/empty-state/empty-labels-starred-md.svg'
+    = image_tag 'illustrations/empty-state/empty-labels-starred-md.svg', role: 'presentation'
   - if can?(current_user, :admin_label, @project)
-    %h5.gl-my-0
+    %h3.gl-heading-5.gl-my-0
       = _("No prioritized labels yet!")
     %p.gl-text-subtle
       = _("Star labels to start sorting by priority.")
diff --git a/app/workers/jira_connect/retry_request_worker.rb b/app/workers/jira_connect/retry_request_worker.rb
index bfa0e48feca..664e8922492 100644
--- a/app/workers/jira_connect/retry_request_worker.rb
+++ b/app/workers/jira_connect/retry_request_worker.rb
@@ -12,7 +12,7 @@ module JiraConnect
     worker_has_external_dependencies!
 
     def perform(proxy_url, jwt, attempts = 3)
-      r = Gitlab::HTTP.post(proxy_url, headers: { 'Authorization' => "JWT #{jwt}" })
+      r = Integrations::Clients::HTTP.post(proxy_url, headers: { 'Authorization' => "JWT #{jwt}" })
 
       self.class.perform_in(1.hour, proxy_url, jwt, attempts - 1) if r.code >= 400 && attempts > 0
     rescue *Gitlab::HTTP::HTTP_ERRORS
diff --git a/config/initializers/net_http.rb b/config/initializers/net_http.rb
index 64bde080537..fa9c9e611a0 100644
--- a/config/initializers/net_http.rb
+++ b/config/initializers/net_http.rb
@@ -1,24 +1,58 @@
 # frozen_string_literal: true
 
+MONKEY_PATCH_METHOD_CHECKSUM = "7fd222f9cffc7ab25d4782d380fdb0b5e83b35d495f9e2fbd8e5057891c73108"
+
+unless Rails.env.production?
+  source = "Net::HTTPResponse::Inflater".safe_constantize&.instance_method(:inflate_adapter)&.source.to_s.strip
+
+  unless OpenSSL::Digest::SHA256.hexdigest(source) == MONKEY_PATCH_METHOD_CHECKSUM
+    raise "Original Net::HTTPResponse::Inflater code was modified. Please update the patch accordingly, then update" \
+      "the checksum."
+  end
+end
+
 module Net
   class HTTPResponse
-    module FinishOverride
-      # rubocop:disable Gitlab/ModuleWithInstanceVariables -- This is a Monkey Patch
-      def finish
-        if Gitlab.config.gitlab.log_decompressed_response_bytesize > 0 &&
-            @inflate.total_out > Gitlab.config.gitlab.log_decompressed_response_bytesize
-          Gitlab::AppJsonLogger.debug(message: 'net/http: response decompressed', size: @inflate.total_out,
-            caller: Gitlab::BacktraceCleaner.clean_backtrace(caller))
+    # This is a monkey patch over an existing method of net/http to limit maximum decompression size
+    #
+    # To disable the decomposition limit validation see `::Gitlab::HTTP.without_decompression_limit`.
+    #
+    # Original code from
+    # https://github.com/ruby/ruby/blob/d5f94941d87743d6563fa1a038665917dea70201/lib/net/http/response.rb#L693-L707
+    class Inflater
+      def inflate_adapter(dest)
+        if dest.respond_to?(:set_encoding)
+          dest.set_encoding(Encoding::ASCII_8BIT)
+        elsif dest.respond_to?(:force_encoding)
+          dest.force_encoding(Encoding::ASCII_8BIT)
         end
 
-        super
-      end
-      # rubocop:enable Gitlab/ModuleWithInstanceVariables
-    end
+        block = proc do |compressed_chunk|
+          @inflate.inflate(compressed_chunk) do |chunk|
+            compressed_chunk.clear
 
-    # Limit the maximum decompression size
-    class Inflater
-      prepend FinishOverride
+            if validate_decompressed_size? && @inflate.total_out > max_http_decompressed_size
+              Gitlab::AppJsonLogger.error(message: 'Net::HTTP - Response size too large', size: @inflate.total_out,
+                caller: Gitlab::BacktraceCleaner.clean_backtrace(caller))
+
+              raise Gitlab::HTTP::MaxDecompressionSizeError, "Response size over #{max_http_decompressed_size} bytes"
+            end
+
+            dest << chunk
+          end
+        end
+
+        Net::ReadAdapter.new(block)
+      end
+
+      def validate_decompressed_size?
+        Gitlab::CurrentSettings.max_http_decompressed_size > 0 &&
+          !Gitlab::SafeRequestStore[:disable_net_http_decompression]
+      end
+
+      def max_http_decompressed_size
+        Gitlab::CurrentSettings.max_http_decompressed_size.megabytes
+      end
     end
   end
 end
diff --git a/db/docs/batched_background_migrations/backfill_bulk_import_export_batches_group_id.yml b/db/docs/batched_background_migrations/backfill_bulk_import_export_batches_group_id.yml
index c61c96ea7f1..ced0e4db1fd 100644
--- a/db/docs/batched_background_migrations/backfill_bulk_import_export_batches_group_id.yml
+++ b/db/docs/batched_background_migrations/backfill_bulk_import_export_batches_group_id.yml
@@ -5,4 +5,4 @@ feature_category: importers
 introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/180432
 milestone: '17.9'
 queued_migration_version: 20250205194220
-finalized_by: # version of the migration that finalized this BBM
+finalized_by: '20250610152957'
diff --git a/db/docs/batched_background_migrations/backfill_design_management_repository_states_namespace_id.yml b/db/docs/batched_background_migrations/backfill_design_management_repository_states_namespace_id.yml
index 05efbec786a..02a67e8380a 100644
--- a/db/docs/batched_background_migrations/backfill_design_management_repository_states_namespace_id.yml
+++ b/db/docs/batched_background_migrations/backfill_design_management_repository_states_namespace_id.yml
@@ -5,4 +5,4 @@ feature_category: geo_replication
 introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/180426
 milestone: '17.9'
 queued_migration_version: 20250205193115
-finalized_by: # version of the migration that finalized this BBM
+finalized_by: 20250611100647
diff --git a/db/docs/batched_background_migrations/backfill_design_user_mentions_namespace_id.yml b/db/docs/batched_background_migrations/backfill_design_user_mentions_namespace_id.yml
index 01c97800540..1997d95a735 100644
--- a/db/docs/batched_background_migrations/backfill_design_user_mentions_namespace_id.yml
+++ b/db/docs/batched_background_migrations/backfill_design_user_mentions_namespace_id.yml
@@ -5,4 +5,4 @@ feature_category: team_planning
 introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/180837
 milestone: '17.9'
 queued_migration_version: 20250209005146
-finalized_by: # version of the migration that finalized this BBM
+finalized_by: 20250611095947
diff --git a/db/docs/batched_background_migrations/backfill_issuable_slas_namespace_id.yml b/db/docs/batched_background_migrations/backfill_issuable_slas_namespace_id.yml
index 169c91f2e00..f2cca619900 100644
--- a/db/docs/batched_background_migrations/backfill_issuable_slas_namespace_id.yml
+++ b/db/docs/batched_background_migrations/backfill_issuable_slas_namespace_id.yml
@@ -5,4 +5,4 @@ feature_category: incident_management
 introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/175719
 milestone: '17.8'
 queued_migration_version: 20241213142263
-finalized_by: # version of the migration that finalized this BBM
+finalized_by: '20250605204337'
diff --git a/db/post_migrate/20250605204337_finalize_backfill_issuable_slas_namespace_id.rb b/db/post_migrate/20250605204337_finalize_backfill_issuable_slas_namespace_id.rb
new file mode 100644
index 00000000000..7829f8e0944
--- /dev/null
+++ b/db/post_migrate/20250605204337_finalize_backfill_issuable_slas_namespace_id.rb
@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+class FinalizeBackfillIssuableSlasNamespaceId < Gitlab::Database::Migration[2.3]
+  milestone '18.1'
+  disable_ddl_transaction!
+
+  restrict_gitlab_migration gitlab_schema: :gitlab_main_cell
+
+  def up
+    ensure_batched_background_migration_is_finished(
+      job_class_name: 'BackfillIssuableSlasNamespaceId',
+      table_name: :issuable_slas,
+      column_name: :id,
+      job_arguments: [:namespace_id, :issues, :namespace_id, :issue_id],
+      finalize: true
+    )
+  end
+
+  def down; end
+end
diff --git a/db/post_migrate/20250610152957_finalize_backfill_bulk_import_export_batches_group_id.rb b/db/post_migrate/20250610152957_finalize_backfill_bulk_import_export_batches_group_id.rb
new file mode 100644
index 00000000000..275bcead0a6
--- /dev/null
+++ b/db/post_migrate/20250610152957_finalize_backfill_bulk_import_export_batches_group_id.rb
@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+class FinalizeBackfillBulkImportExportBatchesGroupId < Gitlab::Database::Migration[2.3]
+  milestone '18.1'
+  disable_ddl_transaction!
+
+  restrict_gitlab_migration gitlab_schema: :gitlab_main_cell
+
+  def up
+    ensure_batched_background_migration_is_finished(
+      job_class_name: 'BackfillBulkImportExportBatchesGroupId',
+      table_name: :bulk_import_export_batches,
+      column_name: :id,
+      job_arguments: [:group_id, :bulk_import_exports, :group_id, :export_id],
+      finalize: true
+    )
+  end
+
+  def down; end
+end
diff --git a/db/post_migrate/20250611095947_finalize_backfill_design_user_mentions_namespace_id.rb b/db/post_migrate/20250611095947_finalize_backfill_design_user_mentions_namespace_id.rb
new file mode 100644
index 00000000000..da5d9001ebb
--- /dev/null
+++ b/db/post_migrate/20250611095947_finalize_backfill_design_user_mentions_namespace_id.rb
@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+class FinalizeBackfillDesignUserMentionsNamespaceId < Gitlab::Database::Migration[2.3]
+  milestone '18.1'
+
+  disable_ddl_transaction!
+
+  restrict_gitlab_migration gitlab_schema: :gitlab_main_cell
+
+  def up
+    ensure_batched_background_migration_is_finished(
+      job_class_name: 'BackfillDesignUserMentionsNamespaceId',
+      table_name: :design_user_mentions,
+      column_name: :id,
+      job_arguments: [:namespace_id, :design_management_designs, :namespace_id, :design_id],
+      finalize: true
+    )
+  end
+
+  def down; end
+end
diff --git a/db/post_migrate/20250611100647_finalize_backfill_design_management_repository_states_namespace_id.rb b/db/post_migrate/20250611100647_finalize_backfill_design_management_repository_states_namespace_id.rb
new file mode 100644
index 00000000000..2ce0fad60c7
--- /dev/null
+++ b/db/post_migrate/20250611100647_finalize_backfill_design_management_repository_states_namespace_id.rb
@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+class FinalizeBackfillDesignManagementRepositoryStatesNamespaceId < Gitlab::Database::Migration[2.3]
+  milestone '18.1'
+
+  disable_ddl_transaction!
+
+  restrict_gitlab_migration gitlab_schema: :gitlab_main_cell
+
+  def up
+    ensure_batched_background_migration_is_finished(
+      job_class_name: 'BackfillDesignManagementRepositoryStatesNamespaceId',
+      table_name: :design_management_repository_states,
+      column_name: :design_management_repository_id,
+      job_arguments: [:namespace_id, :design_management_repositories, :namespace_id, :design_management_repository_id],
+      finalize: true
+    )
+  end
+
+  def down; end
+end
diff --git a/db/schema_migrations/20250605204337 b/db/schema_migrations/20250605204337
new file mode 100644
index 00000000000..78285d683eb
--- /dev/null
+++ b/db/schema_migrations/20250605204337
@@ -0,0 +1 @@
+7cea86680a0475a789c1df120bbea3a5c010fdcb21fb531647c5f1c40fa862e5
\ No newline at end of file
diff --git a/db/schema_migrations/20250610152957 b/db/schema_migrations/20250610152957
new file mode 100644
index 00000000000..b77d57114e1
--- /dev/null
+++ b/db/schema_migrations/20250610152957
@@ -0,0 +1 @@
+cae7e8295a5216ee5b4d4c886ae87e529634b9faac7d6a6b04a0972dbd0858d7
\ No newline at end of file
diff --git a/db/schema_migrations/20250611095947 b/db/schema_migrations/20250611095947
new file mode 100644
index 00000000000..9e74c9f20ee
--- /dev/null
+++ b/db/schema_migrations/20250611095947
@@ -0,0 +1 @@
+4a5720e055d17c41a01f9cfb68c5da9af258c9cf14900aa821453089b6489937
\ No newline at end of file
diff --git a/db/schema_migrations/20250611100647 b/db/schema_migrations/20250611100647
new file mode 100644
index 00000000000..75e10d7e415
--- /dev/null
+++ b/db/schema_migrations/20250611100647
@@ -0,0 +1 @@
+9cfda522c1e97f313318d6861d540d3ef2d61075e3d0922d73609a69168623b5
\ No newline at end of file
diff --git a/doc/administration/gitaly/praefect.md b/doc/administration/gitaly/praefect.md
index dea76c08aa2..8754ca6289b 100644
--- a/doc/administration/gitaly/praefect.md
+++ b/doc/administration/gitaly/praefect.md
@@ -275,6 +275,15 @@ instructions only work on the Linux package-provided PostgreSQL:
    Replace `<PRAEFECT_SQL_PASSWORD_HASH>` with the hash of the password you generated in the
    preparation step. It is prefixed with `md5` literal.
 
+1. Create a new user `pgbouncer` to be used by PgBouncer:
+
+   ```sql
+   CREATE ROLE pgbouncer WITH LOGIN;
+   ALTER USER pgbouncer WITH password 'md5<PGBOUNCER_SQL_PASSWORD_HASH>';
+   ```
+
+   Replace `PGBOUNCER_SQL_PASSWORD_HASH` with the strong password hash you generated in the preparation step.
+
 1. The PgBouncer that is shipped with the Linux package is configured to use [`auth_query`](https://www.pgbouncer.org/config.html#generic-settings)
    and uses `pg_shadow_lookup` function. You need to create this function in `praefect_production`
    database:
diff --git a/doc/administration/instance_limits.md b/doc/administration/instance_limits.md
index af3b563055c..9cc2b680d1c 100644
--- a/doc/administration/instance_limits.md
+++ b/doc/administration/instance_limits.md
@@ -307,6 +307,38 @@ There is a limit when embedding metrics in GitLab Flavored Markdown (GLFM) for p
 
 - **Max limit**: 100 embeds.
 
+## HTTP response limits
+
+### Maximum Gzip-compressed size
+
+This setting is used to restrict the maximum allowed size in MiB for Gzip-compressed
+HTTP responses after decompression to prevent DoS.
+
+The default maximum size is 100 MiB. To disable this limit, set the value to 0.
+If the value is too high, it could expose the instance to DoS attacks.
+
+You can change this limit by using the GitLab Rails console or use
+[application setting API](../api/settings.md)
+
+ ```ruby
+ ApplicationSetting.update(max_http_decompressed_size: 50)
+ ```
+
+### Maximum HTTP responses size
+
+This setting is used to restrict the maximum allowed size in MiB for decompressed
+HTTP responses to prevent DoS. It applies to integrations, importers, and webhooks.
+
+The default maximum size is 100 MiB. To disable this limit, set the value to 0.
+If the value is too high, it could expose the instance to DoS attacks.
+
+You can change this limit by using the GitLab Rails console or use
+[application setting API](../api/settings.md)
+
+ ```ruby
+ ApplicationSetting.update(max_http_response_size_limit: 60)
+ ```
+
 ## Webhook limits
 
 Also see [Webhook rate limits](#webhook-rate-limit).
diff --git a/doc/api/graphql/reference/_index.md b/doc/api/graphql/reference/_index.md
index 9c3f8f0b1e8..60b40ce9baa 100644
--- a/doc/api/graphql/reference/_index.md
+++ b/doc/api/graphql/reference/_index.md
@@ -6697,6 +6697,7 @@ Input type: `HttpIntegrationCreateInput`
 | <a id="mutationhttpintegrationcreatepayloadattributemappings"></a>`payloadAttributeMappings` | [`[AlertManagementPayloadAlertFieldInput!]`](#alertmanagementpayloadalertfieldinput) | Custom mapping of GitLab alert attributes to fields from the payload example. |
 | <a id="mutationhttpintegrationcreatepayloadexample"></a>`payloadExample` | [`JsonString`](#jsonstring) | Example of an alert payload. |
 | <a id="mutationhttpintegrationcreateprojectpath"></a>`projectPath` | [`ID!`](#id) | Project to create the integration in. |
+| <a id="mutationhttpintegrationcreatetype"></a>`type` | [`AlertManagementIntegrationType`](#alertmanagementintegrationtype) | Type of integration to create. Cannot be changed after creation. |
 
 #### Fields
 
@@ -6704,7 +6705,7 @@ Input type: `HttpIntegrationCreateInput`
 | ---- | ---- | ----------- |
 | <a id="mutationhttpintegrationcreateclientmutationid"></a>`clientMutationId` | [`String`](#string) | A unique identifier for the client performing the mutation. |
 | <a id="mutationhttpintegrationcreateerrors"></a>`errors` | [`[String!]!`](#string) | Errors encountered during the mutation. |
-| <a id="mutationhttpintegrationcreateintegration"></a>`integration` | [`AlertManagementHttpIntegration`](#alertmanagementhttpintegration) | HTTP integration. |
+| <a id="mutationhttpintegrationcreateintegration"></a>`integration` | [`AlertManagementHttpIntegration`](#alertmanagementhttpintegration) | Alerting integration. |
 
 ### `Mutation.httpIntegrationDestroy`
 
@@ -6723,7 +6724,7 @@ Input type: `HttpIntegrationDestroyInput`
 | ---- | ---- | ----------- |
 | <a id="mutationhttpintegrationdestroyclientmutationid"></a>`clientMutationId` | [`String`](#string) | A unique identifier for the client performing the mutation. |
 | <a id="mutationhttpintegrationdestroyerrors"></a>`errors` | [`[String!]!`](#string) | Errors encountered during the mutation. |
-| <a id="mutationhttpintegrationdestroyintegration"></a>`integration` | [`AlertManagementHttpIntegration`](#alertmanagementhttpintegration) | HTTP integration. |
+| <a id="mutationhttpintegrationdestroyintegration"></a>`integration` | [`AlertManagementHttpIntegration`](#alertmanagementhttpintegration) | Alerting integration. |
 
 ### `Mutation.httpIntegrationResetToken`
 
@@ -6742,7 +6743,7 @@ Input type: `HttpIntegrationResetTokenInput`
 | ---- | ---- | ----------- |
 | <a id="mutationhttpintegrationresettokenclientmutationid"></a>`clientMutationId` | [`String`](#string) | A unique identifier for the client performing the mutation. |
 | <a id="mutationhttpintegrationresettokenerrors"></a>`errors` | [`[String!]!`](#string) | Errors encountered during the mutation. |
-| <a id="mutationhttpintegrationresettokenintegration"></a>`integration` | [`AlertManagementHttpIntegration`](#alertmanagementhttpintegration) | HTTP integration. |
+| <a id="mutationhttpintegrationresettokenintegration"></a>`integration` | [`AlertManagementHttpIntegration`](#alertmanagementhttpintegration) | Alerting integration. |
 
 ### `Mutation.httpIntegrationUpdate`
 
@@ -6765,7 +6766,7 @@ Input type: `HttpIntegrationUpdateInput`
 | ---- | ---- | ----------- |
 | <a id="mutationhttpintegrationupdateclientmutationid"></a>`clientMutationId` | [`String`](#string) | A unique identifier for the client performing the mutation. |
 | <a id="mutationhttpintegrationupdateerrors"></a>`errors` | [`[String!]!`](#string) | Errors encountered during the mutation. |
-| <a id="mutationhttpintegrationupdateintegration"></a>`integration` | [`AlertManagementHttpIntegration`](#alertmanagementhttpintegration) | HTTP integration. |
+| <a id="mutationhttpintegrationupdateintegration"></a>`integration` | [`AlertManagementHttpIntegration`](#alertmanagementhttpintegration) | Alerting integration. |
 
 ### `Mutation.importSourceUserCancelReassignment`
 
diff --git a/doc/api/settings.md b/doc/api/settings.md
index b775c284e79..6e0dfe7d086 100644
--- a/doc/api/settings.md
+++ b/doc/api/settings.md
@@ -614,6 +614,8 @@ to configure other related settings. These requirements are
 | `max_export_size`                        | integer          | no                                   | Maximum export size in MB. 0 for unlimited. Default = 0 (unlimited). |
 | `max_github_response_size_limit`         | integer          | no                                   | Maximum allowed GitHub API response size in MB. 0 for unlimited. |
 | `max_github_response_json_value_count`   | integer          | no                                   | Maximum allowed value count for GitHub API responses. 0 for unlimited. Count is an estimate based on the number of `:` `,` `{` and `[` occurrences in the response. |
+| `max_http_decompressed_size`             | integer          | no                                   | Maximum allowed size in MiB for Gzip-compressed HTTP responses after decompression. 0 for unlimited. |
+| `max_http_response_size_limit`           | integer          | no                                   | Maximum allowed size in MiB for HTTP responses. 0 for unlimited. |
 | `max_import_size`                        | integer          | no                                   | Maximum import size in MB. 0 for unlimited. Default = 0 (unlimited). |
 | `max_import_remote_file_size`            | integer          | no                                   | Maximum remote file size for imports from external object storages. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/384976) in GitLab 16.3. |
 | `max_login_attempts`                     | integer          | no                                   | Maximum number of sign-in attempts before locking out the user. |
diff --git a/doc/development/import/principles_of_importer_design.md b/doc/development/import/principles_of_importer_design.md
index 31743c8690a..5bde1ee76f1 100644
--- a/doc/development/import/principles_of_importer_design.md
+++ b/doc/development/import/principles_of_importer_design.md
@@ -13,9 +13,11 @@ title: Principles of Importer Design
 - Importers must not add third-party Ruby gems that make HTTP calls.
   Importers use the same
   [Ruby gem policy as for integrations](../integrations/_index.md#no-ruby-gems-that-make-http-calls), for more information about Ruby gem use for importers see that page.
-- All HTTP calls must use `Gitlab::HTTP`.
-  `Gitlab::HTTP` ensures that [network settings](../../security/webhooks.md) of the instance
-  are enforced and has other [security hardening](../../security/webhooks.md#enforce-dns-rebinding-attack-protection) measures.
+- All HTTP calls must use `Import::Clients::HTTP`, which:
+  - Ensures that [network settings](../../security/webhooks.md) are enforced for HTTP calls.
+  - Has additional [security hardening](../../security/webhooks.md#enforce-dns-rebinding-attack-protection) features.
+  - Is our single source of truth for making secure HTTP calls.
+  - Ensure all response sizes are validated.
 
 ## Logging
 
diff --git a/doc/development/integrations/_index.md b/doc/development/integrations/_index.md
index 803216e5fdf..d36f644b619 100644
--- a/doc/development/integrations/_index.md
+++ b/doc/development/integrations/_index.md
@@ -208,13 +208,14 @@ For example, to create metric definitions for the Slack integration, you copy th
 
 ### Security requirements
 
-#### All HTTP calls must use `Gitlab::HTTP`
+#### All HTTP calls must use `Integrations::Clients::HTTP`
 
-Integrations must always make HTTP calls using `Gitlab::HTTP`, which:
+Integrations must always make HTTP calls using `Integrations::Clients::HTTP`, which:
 
 - Ensures that [network settings](../../security/webhooks.md) are enforced for HTTP calls.
 - Has additional [security hardening](../../security/webhooks.md#enforce-dns-rebinding-attack-protection) features.
 - Is our single source of truth for making secure HTTP calls.
+- Ensure all response sizes are validated.
 
 #### Masking channel values
 
@@ -244,7 +245,7 @@ but they offer minimal benefit compared to the costs involved:
 - They increase the potential surface area of security problems and the effort required to fix them.
 - Often these gems make HTTP calls on your behalf. As integrations can make HTTP calls to remote
   servers configured by users, it is critical that we
-  [fully control the network calls](#all-http-calls-must-use-gitlabhttp).
+  [fully control the network calls](#all-http-calls-must-use-integrationsclientshttp).
 - There is a maintenance cost of managing gem upgrades.
 - They can block us from using newer features.
 
diff --git a/doc/user/gitlab_duo_chat/_index.md b/doc/user/gitlab_duo_chat/_index.md
index a56ee35852d..e08823e768d 100644
--- a/doc/user/gitlab_duo_chat/_index.md
+++ b/doc/user/gitlab_duo_chat/_index.md
@@ -10,7 +10,8 @@ title: GitLab Duo Chat
 - Tier: Premium, Ultimate
 - Add-on: GitLab Duo Core, Pro, or Enterprise, GitLab Duo with Amazon Q
 - Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated
-- LLMs: Anthropic [Claude 3.7 Sonnet](https://console.cloud.google.com/vertex-ai/publishers/anthropic/model-garden/claude-3-7-sonnet), Anthropic [Claude 3.5 Sonnet V2](https://console.cloud.google.com/vertex-ai/publishers/anthropic/model-garden/claude-3-5-sonnet-v2), Anthropic [Claude 3.5 Sonnet](https://console.cloud.google.com/vertex-ai/publishers/anthropic/model-garden/claude-3-5-sonnet), Anthropic [Claude 3.5 Haiku](https://console.cloud.google.com/vertex-ai/publishers/anthropic/model-garden/claude-3-5-haiku), and [Vertex AI Search](https://cloud.google.com/enterprise-search). The LLM depends on the question asked.
+- LLMs: Anthropic [Claude 4.0 Sonnet](https://console.cloud.google.com/vertex-ai/publishers/anthropic/model-garden/claude-sonnet-4), 
+Anthropic [Claude 3.7 Sonnet](https://console.cloud.google.com/vertex-ai/publishers/anthropic/model-garden/claude-3-7-sonnet), Anthropic [Claude 3.5 Sonnet V2](https://console.cloud.google.com/vertex-ai/publishers/anthropic/model-garden/claude-3-5-sonnet-v2), Anthropic [Claude 3.5 Sonnet](https://console.cloud.google.com/vertex-ai/publishers/anthropic/model-garden/claude-3-5-sonnet), Anthropic [Claude 3.5 Haiku](https://console.cloud.google.com/vertex-ai/publishers/anthropic/model-garden/claude-3-5-haiku), and [Vertex AI Search](https://cloud.google.com/enterprise-search). The LLM depends on the question asked.
 - LLM for Amazon Q: Amazon Q Developer
 
 {{< /details >}}
diff --git a/doc/user/project/settings/import_export.md b/doc/user/project/settings/import_export.md
index 0692a0a27d6..2af6f44e595 100644
--- a/doc/user/project/settings/import_export.md
+++ b/doc/user/project/settings/import_export.md
@@ -162,6 +162,8 @@ Prerequisites:
 
 - Review the list of [items that are exported](#project-items-that-are-exported). Not all items are exported.
 - You must have at least the Maintainer role for the project.
+- For significantly improved performance for repositories with a large number of Git references, use GitLab 18.0 or later. For more information, see our
+  [blog post about decreasing GitLab repository backup times](https://about.gitlab.com/blog/2025/06/05/how-we-decreased-gitlab-repo-backup-times-from-48-hours-to-41-minutes/).
 
 To export a project and its data, follow these steps:
 
diff --git a/gems/gitlab-http/.rubocop.yml b/gems/gitlab-http/.rubocop.yml
index 382d7d3d19d..1ee866e4561 100644
--- a/gems/gitlab-http/.rubocop.yml
+++ b/gems/gitlab-http/.rubocop.yml
@@ -9,6 +9,9 @@ Naming/ClassAndModuleCamelCase:
   AllowedNames:
     - HTTP_V2
 
+Style/NumericPredicate:
+  EnforcedStyle: comparison
+
 Style/SpecialGlobalVars:
   Enabled: false
 
diff --git a/gems/gitlab-http/lib/gitlab/http_v2/client.rb b/gems/gitlab-http/lib/gitlab/http_v2/client.rb
index de594bd0b31..f83c844e1d1 100644
--- a/gems/gitlab-http/lib/gitlab/http_v2/client.rb
+++ b/gems/gitlab-http/lib/gitlab/http_v2/client.rb
@@ -73,21 +73,18 @@ module Gitlab
           start_time = nil
           read_total_timeout = options.fetch(:timeout, DEFAULT_READ_TOTAL_TIMEOUT)
           byte_size = 0
-          already_logged = false
+          max_bytesize = options.fetch(:max_bytes, 0)
 
           promise = Concurrent::Promise.new do
             Gitlab::Utils.restrict_within_concurrent_ruby do
               httparty_perform_request(http_method, path, options_with_timeouts) do |fragment|
                 start_time ||= system_monotonic_time
                 elapsed = system_monotonic_time - start_time
-                byte_size += fragment.bytesize if should_log_response_size?
+                byte_size += fragment.bytesize
 
                 raise ReadTotalTimeout, "Request timed out after #{elapsed} seconds" if elapsed > read_total_timeout
 
-                if should_log_response_size? && byte_size > expected_max_response_size && !already_logged
-                  configuration.log_with_level(:debug, message: 'gitlab/http: response size', size: byte_size)
-                  already_logged = true
-                end
+                check_max_byte_size_limit!(max_bytesize, byte_size)
 
                 yield fragment if block
               end
@@ -101,20 +98,17 @@ module Gitlab
           start_time = nil
           read_total_timeout = options.fetch(:timeout, DEFAULT_READ_TOTAL_TIMEOUT)
           byte_size = 0
-          already_logged = false
+          max_bytesize = options.fetch(:max_bytes, 0)
 
           httparty_perform_request(http_method, path, options_with_timeouts) do |fragment|
             start_time ||= system_monotonic_time
             elapsed = system_monotonic_time - start_time
-            byte_size += fragment.bytesize if should_log_response_size?
-
-            if should_log_response_size? && byte_size > expected_max_response_size && !already_logged
-              configuration.log_with_level(:debug, message: 'gitlab/http: response size', size: byte_size)
-              already_logged = true
-            end
+            byte_size += fragment.bytesize
 
             raise ReadTotalTimeout, "Request timed out after #{elapsed} seconds" if elapsed > read_total_timeout
 
+            check_max_byte_size_limit!(max_bytesize, byte_size)
+
             yield fragment if block
           end
         rescue HTTParty::RedirectionTooDeep
@@ -141,19 +135,18 @@ module Gitlab
           raise SilentModeBlockedError, 'only get, head, options, and trace methods are allowed in silent mode'
         end
 
+        def check_max_byte_size_limit!(max_bytesize, byte_size)
+          return unless max_bytesize > 0 && byte_size > max_bytesize
+
+          configuration.log_with_level(:error,
+            { message: 'Gitlab::HTTP - Response size too large', size: byte_size })
+
+          raise ResponseSizeTooLarge, "Response size over #{max_bytesize} bytes"
+        end
+
         def system_monotonic_time
           Process.clock_gettime(Process::CLOCK_MONOTONIC, :float_second)
         end
-
-        def should_log_response_size?
-          return @should_log_response_size if instance_variable_defined?(:@should_log_response_size)
-
-          @should_log_response_size = ENV["GITLAB_LOG_DECOMPRESSED_RESPONSE_BYTESIZE"].to_i.positive?
-        end
-
-        def expected_max_response_size
-          ENV["GITLAB_LOG_DECOMPRESSED_RESPONSE_BYTESIZE"].to_i
-        end
       end
     end
   end
diff --git a/gems/gitlab-http/lib/gitlab/http_v2/exceptions.rb b/gems/gitlab-http/lib/gitlab/http_v2/exceptions.rb
index 5a34d0b9939..e3a5249ef0b 100644
--- a/gems/gitlab-http/lib/gitlab/http_v2/exceptions.rb
+++ b/gems/gitlab-http/lib/gitlab/http_v2/exceptions.rb
@@ -9,6 +9,8 @@ module Gitlab
     ReadTotalTimeout = Class.new(Net::ReadTimeout)
     HeaderReadTimeout = Class.new(Net::ReadTimeout)
     SilentModeBlockedError = Class.new(StandardError)
+    ResponseSizeTooLarge = Class.new(StandardError)
+    MaxDecompressionSizeError = Class.new(StandardError)
 
     HTTP_TIMEOUT_ERRORS = [
       Net::OpenTimeout, Net::ReadTimeout, Net::WriteTimeout, Gitlab::HTTP_V2::ReadTotalTimeout
@@ -18,7 +20,7 @@ module Gitlab
       EOFError, SocketError, OpenSSL::SSL::SSLError, OpenSSL::OpenSSLError,
       Errno::ECONNRESET, Errno::ECONNREFUSED, Errno::EHOSTUNREACH, Errno::ENETUNREACH,
       Gitlab::HTTP_V2::BlockedUrlError, Gitlab::HTTP_V2::RedirectionTooDeep,
-      Net::HTTPBadResponse
+      Net::HTTPBadResponse, Gitlab::HTTP_V2::ResponseSizeTooLarge, Gitlab::HTTP_V2::ResponseSizeTooLarge
     ].freeze
   end
 end
diff --git a/gems/gitlab-http/spec/gitlab/http_v2_spec.rb b/gems/gitlab-http/spec/gitlab/http_v2_spec.rb
index 74460c87289..c8bf734025f 100644
--- a/gems/gitlab-http/spec/gitlab/http_v2_spec.rb
+++ b/gems/gitlab-http/spec/gitlab/http_v2_spec.rb
@@ -246,67 +246,72 @@ RSpec.describe Gitlab::HTTP_V2, feature_category: :shared do
     end
   end
 
-  describe 'logging response size' do
-    context 'when GITLAB_LOG_DECOMPRESSED_RESPONSE_BYTESIZE is not set' do
-      before do
-        stub_full_request('http://example.org', method: :any).to_return(status: 200, body: 'hello world')
-      end
-
-      it 'does not log response size' do
-        expect(described_class.configuration)
-          .not_to receive(:log_with_level)
-
-        described_class.get('http://example.org')
-      end
-
-      context 'when the request is async' do
-        it 'does not log response size' do
-          expect(described_class.configuration)
-            .not_to receive(:log_with_level)
-
-          described_class.get('http://example.org', async: true).execute.value
-        end
-      end
+  describe 'response size limits' do
+    before do
+      stub_full_request('http://example.org', method: :any).to_return(status: 200, body: 'hello world')
     end
 
-    context 'when GITLAB_LOG_DECOMPRESSED_RESPONSE_BYTESIZE is set' do
-      before do
-        described_class::Client.remove_instance_variable(:@should_log_response_size)
-        stub_env('GITLAB_LOG_DECOMPRESSED_RESPONSE_BYTESIZE', 5)
-        stub_full_request('http://example.org', method: :any).to_return(status: 200, body: 'hello world')
+    it 'logs and raises an error if response size is greater than max_bytes' do
+      expect(described_class.configuration).to receive(:log_with_level)
+        .with(:error, { message: "Gitlab::HTTP - Response size too large", size: 11 })
+
+      expect do
+        described_class.get('http://example.org', max_bytes: 1.byte)
+      end.to raise_error(Gitlab::HTTP_V2::ResponseSizeTooLarge)
+    end
+
+    it 'returns the response if size is less than max_bytes' do
+      expect(described_class.configuration).not_to receive(:log_with_level)
+
+      result = described_class.put('http://example.org', max_bytes: 16.bytes)
+
+      expect(result.body).to eq('hello world')
+    end
+
+    it 'returns the response if max_bytes is not provided' do
+      result = described_class.put('http://example.org')
+
+      expect(result.body).to eq('hello world')
+    end
+
+    it 'returns the response if max_bytes is 0' do
+      result = described_class.put('http://example.org', max_bytes: 0)
+
+      expect(result.body).to eq('hello world')
+    end
+
+    context 'when the request is async' do
+      it 'logs and raises an error if response size is greater than max_bytes' do
+        expect(described_class.configuration).to receive(:log_with_level)
+          .with(:error, { message: "Gitlab::HTTP - Response size too large", size: 11 })
+
+        expect do
+          described_class.get('http://example.org', max_bytes: 1.byte, async: true).execute.value
+        end.to raise_error(Gitlab::HTTP_V2::ResponseSizeTooLarge)
       end
 
-      it 'logs the response size' do
-        expect(described_class.configuration)
-          .to receive(:log_with_level)
-          .with(:debug, { message: "gitlab/http: response size", size: 11 })
-          .once
+      it 'returns the response if size is less than max_bytes' do
+        expect(described_class.configuration).not_to receive(:log_with_level)
 
-        described_class.get('http://example.org')
+        result = described_class.put('http://example.org', max_bytes: 16.bytes, async: true)
+
+        expect(result.execute.value.body).to eq('hello world')
       end
 
-      context 'when the request is async' do
-        it 'logs response size' do
-          expect(described_class.configuration)
-            .to receive(:log_with_level)
-            .with(:debug, { message: "gitlab/http: response size", size: 11 })
-            .once
+      it 'returns the response if max_bytes is not provided' do
+        expect(described_class.configuration).not_to receive(:log_with_level)
 
-          described_class.get('http://example.org', async: true).execute.value
-        end
+        result = described_class.put('http://example.org', async: true)
+
+        expect(result.execute.value.body).to eq('hello world')
       end
 
-      context 'and the response size is smaller than the limit' do
-        before do
-          stub_env('GITLAB_LOG_DECOMPRESSED_RESPONSE_BYTESIZE', 50)
-        end
+      it 'returns the response if max_bytes is 0' do
+        expect(described_class.configuration).not_to receive(:log_with_level)
 
-        it 'does not log the response size' do
-          expect(described_class.configuration)
-            .not_to receive(:log_with_level)
+        result = described_class.put('http://example.org', max_bytes: 0, async: true)
 
-          described_class.get('http://example.org')
-        end
+        expect(result.execute.value.body).to eq('hello world')
       end
     end
   end
diff --git a/lib/api/notes.rb b/lib/api/notes.rb
index d2a617d149b..b016d633882 100644
--- a/lib/api/notes.rb
+++ b/lib/api/notes.rb
@@ -15,7 +15,9 @@ module API
 
     urgency :low, [
       '/projects/:id/merge_requests/:noteable_id/notes',
-      '/projects/:id/merge_requests/:noteable_id/notes/:note_id'
+      '/projects/:id/merge_requests/:noteable_id/notes/:note_id',
+      '/projects/:id/issues/:noteable_id/notes',
+      '/projects/:id/issues/:noteable_id/notes/:note_id'
     ]
 
     Helpers::NotesHelpers.noteable_types.each do |noteable_type|
diff --git a/lib/atlassian/jira_connect/client.rb b/lib/atlassian/jira_connect/client.rb
index 0c3218c6f9c..e1cc12dc499 100644
--- a/lib/atlassian/jira_connect/client.rb
+++ b/lib/atlassian/jira_connect/client.rb
@@ -2,7 +2,7 @@
 
 module Atlassian
   module JiraConnect
-    class Client < Gitlab::HTTP
+    class Client
       def self.generate_update_sequence_id
         (Time.now.utc.to_f * 1000).round
       end
@@ -46,7 +46,7 @@ module Atlassian
         uri = URI.join(@base_uri, path)
         uri.query = URI.encode_www_form(query_params)
 
-        self.class.get(uri, headers: headers(uri, 'GET'))
+        Integrations::Clients::HTTP.get(uri, headers: headers(uri, 'GET'))
       end
 
       def store_ff_info(project:, feature_flags:, **opts)
@@ -124,13 +124,13 @@ module Atlassian
       def post(path, payload)
         uri = URI.join(@base_uri, path)
 
-        self.class.post(uri, headers: headers(uri), body: metadata.merge(payload).to_json)
+        Integrations::Clients::HTTP.post(uri, headers: headers(uri), body: metadata.merge(payload).to_json)
       end
 
       def delete(path)
         uri = URI.join(@base_uri, path)
 
-        self.class.delete(uri, headers: headers(uri, 'DELETE'))
+        Integrations::Clients::HTTP.delete(uri, headers: headers(uri, 'DELETE'))
       end
 
       def headers(uri, http_method = 'POST')
diff --git a/lib/bitbucket/app_password_connection.rb b/lib/bitbucket/app_password_connection.rb
index 878c6d8ac79..923d750220d 100644
--- a/lib/bitbucket/app_password_connection.rb
+++ b/lib/bitbucket/app_password_connection.rb
@@ -17,7 +17,7 @@ module Bitbucket
 
     def get(path, extra_query = {})
       response = retry_with_exponential_backoff do
-        Gitlab::HTTP.get(build_url(path), basic_auth: basic_auth, headers: headers, query: extra_query)
+        Import::Clients::HTTP.get(build_url(path), basic_auth: basic_auth, headers: headers, query: extra_query)
       end
 
       response.parsed_response
diff --git a/lib/bitbucket_server/connection.rb b/lib/bitbucket_server/connection.rb
index 703f984077a..ad869be418d 100644
--- a/lib/bitbucket_server/connection.rb
+++ b/lib/bitbucket_server/connection.rb
@@ -33,7 +33,7 @@ module BitbucketServer
 
     def get(path, extra_query = {})
       response = retry_with_delay do
-        Gitlab::HTTP.get(build_url(path), basic_auth: auth, headers: accept_headers, query: extra_query)
+        Import::Clients::HTTP.get(build_url(path), basic_auth: auth, headers: accept_headers, query: extra_query)
       end
 
       check_errors!(response)
@@ -45,7 +45,7 @@ module BitbucketServer
 
     def post(path, body)
       response = retry_with_delay do
-        Gitlab::HTTP.post(build_url(path), basic_auth: auth, headers: post_headers, body: body)
+        Import::Clients::HTTP.post(build_url(path), basic_auth: auth, headers: post_headers, body: body)
       end
 
       check_errors!(response)
@@ -63,7 +63,7 @@ module BitbucketServer
       url = delete_url(resource, path)
 
       response = retry_with_delay do
-        Gitlab::HTTP.delete(url, basic_auth: auth, headers: post_headers, body: body)
+        Import::Clients::HTTP.delete(url, basic_auth: auth, headers: post_headers, body: body)
       end
 
       check_errors!(response)
diff --git a/lib/bulk_imports/clients/graphql.rb b/lib/bulk_imports/clients/graphql.rb
index 15ac8e450f0..9770176c7de 100644
--- a/lib/bulk_imports/clients/graphql.rb
+++ b/lib/bulk_imports/clients/graphql.rb
@@ -13,7 +13,7 @@ module BulkImports
       end
 
       def execute(query:, variables: {})
-        response = ::Gitlab::HTTP.post(
+        response = Import::Clients::HTTP.post(
           url,
           headers: headers,
           follow_redirects: false,
diff --git a/lib/bulk_imports/clients/http.rb b/lib/bulk_imports/clients/http.rb
index e22e37d66af..89e46c06d3f 100644
--- a/lib/bulk_imports/clients/http.rb
+++ b/lib/bulk_imports/clients/http.rb
@@ -76,7 +76,7 @@ module BulkImports
         return true unless instance_version >= ::Gitlab::VersionInfo.parse(PAT_ENDPOINT_MIN_VERSION)
 
         response = with_error_handling do
-          Gitlab::HTTP.get(resource_url("personal_access_tokens/self"), options)
+          Import::Clients::HTTP.get(resource_url("personal_access_tokens/self"), options)
         end
 
         return true if response['scopes']&.include?('api')
@@ -97,12 +97,12 @@ module BulkImports
       def metadata
         response = begin
           with_error_handling do
-            Gitlab::HTTP.get(resource_url(:version), options)
+            Import::Clients::HTTP.get(resource_url(:version), options)
           end
         rescue BulkImports::NetworkError
           # `version` endpoint is not available, try `metadata` endpoint instead
           with_error_handling do
-            Gitlab::HTTP.get(resource_url(:metadata), options)
+            Import::Clients::HTTP.get(resource_url(:metadata), options)
           end
         end
 
@@ -122,7 +122,7 @@ module BulkImports
       # rubocop:disable GitlabSecurity/PublicSend
       def request(method, resource, options = {}, &block)
         with_error_handling do
-          Gitlab::HTTP.public_send(
+          Import::Clients::HTTP.public_send(
             method,
             resource_url(resource),
             request_options(options),
diff --git a/lib/gitlab/chat/responder/mattermost.rb b/lib/gitlab/chat/responder/mattermost.rb
index 6f765a92a66..f90729e4b08 100644
--- a/lib/gitlab/chat/responder/mattermost.rb
+++ b/lib/gitlab/chat/responder/mattermost.rb
@@ -15,7 +15,7 @@ module Gitlab
         #
         # body - The message payload to send back to Mattermost, as a Hash.
         def send_response(body)
-          Gitlab::HTTP.post(
+          Integrations::Clients::HTTP.post(
             pipeline.chat_data.response_url,
             {
               headers: { 'Content-Type': 'application/json' },
diff --git a/lib/gitlab/chat/responder/slack.rb b/lib/gitlab/chat/responder/slack.rb
index d3810bf9132..175ae4e02ce 100644
--- a/lib/gitlab/chat/responder/slack.rb
+++ b/lib/gitlab/chat/responder/slack.rb
@@ -16,7 +16,7 @@ module Gitlab
         #
         # output - The output to send back to Slack, as a Hash.
         def send_response(output)
-          response = Gitlab::HTTP.post(
+          response = Integrations::Clients::HTTP.post(
             pipeline.chat_data.response_url,
             {
               headers: { Accept: 'application/json' },
diff --git a/lib/gitlab/diff/file.rb b/lib/gitlab/diff/file.rb
index aa331f5cd68..13faf7cd67e 100644
--- a/lib/gitlab/diff/file.rb
+++ b/lib/gitlab/diff/file.rb
@@ -454,6 +454,10 @@ module Gitlab
         new_file? || deleted_file? || content_changed?
       end
 
+      def no_preview?
+        collapsed? || !modified_file?
+      end
+
       def diffable_text?
         !too_large? && diffable? && text? && !whitespace_only?
       end
diff --git a/lib/gitlab/fogbugz_import/http_adapter.rb b/lib/gitlab/fogbugz_import/http_adapter.rb
index bfae7a10f5b..6d37ace2f08 100644
--- a/lib/gitlab/fogbugz_import/http_adapter.rb
+++ b/lib/gitlab/fogbugz_import/http_adapter.rb
@@ -12,7 +12,7 @@ module Gitlab
 
         params = { 'cmd' => action }.merge(options.fetch(:params, {}))
 
-        response = Gitlab::HTTP.post(uri, body: params)
+        response = ::Import::Clients::HTTP.post(uri, body: params)
 
         response.body
       end
diff --git a/lib/gitlab/git_access.rb b/lib/gitlab/git_access.rb
index e37d71e51c3..977deb56ccf 100644
--- a/lib/gitlab/git_access.rb
+++ b/lib/gitlab/git_access.rb
@@ -83,8 +83,7 @@ module Gitlab
       check_command_disabled!
       check_command_existence!
 
-      custom_action = check_custom_action
-      return custom_action if custom_action
+      check_custom_ssh_action!
 
       check_db_accessibility!
       check_container!
@@ -185,7 +184,7 @@ module Gitlab
       check_project_accessibility!
     end
 
-    def check_custom_action
+    def check_custom_ssh_action!
       # no-op: Overridden in EE
     end
 
diff --git a/lib/gitlab/git_access_snippet.rb b/lib/gitlab/git_access_snippet.rb
index 8c291dd56ba..9eda2099eb7 100644
--- a/lib/gitlab/git_access_snippet.rb
+++ b/lib/gitlab/git_access_snippet.rb
@@ -46,8 +46,8 @@ module Gitlab
     private
 
     # TODO: Implement EE/Geo https://gitlab.com/gitlab-org/gitlab/issues/205629
-    override :check_custom_action
-    def check_custom_action
+    override :check_custom_ssh_action!
+    def check_custom_ssh_action!
       # snippets never return custom actions, such as geo replication.
     end
 
diff --git a/lib/gitlab/github_gists_import/representation/gist.rb b/lib/gitlab/github_gists_import/representation/gist.rb
index 674da4f3400..86d52764eee 100644
--- a/lib/gitlab/github_gists_import/representation/gist.rb
+++ b/lib/gitlab/github_gists_import/representation/gist.rb
@@ -58,7 +58,7 @@ module Gitlab
 
           {
             file_name: value[:filename],
-            file_content: Gitlab::HTTP.try_get(value[:raw_url])&.body
+            file_content: ::Import::Clients::HTTP.try_get(value[:raw_url])&.body
           }
         end
 
diff --git a/lib/gitlab/github_import/attachments_downloader.rb b/lib/gitlab/github_import/attachments_downloader.rb
index e9192b97506..4162a000d6c 100644
--- a/lib/gitlab/github_import/attachments_downloader.rb
+++ b/lib/gitlab/github_import/attachments_downloader.rb
@@ -53,7 +53,7 @@ module Gitlab
         return file_url unless file_url.starts_with?(github_assets_url_regex)
 
         options[:follow_redirects] = false
-        response = Gitlab::HTTP.perform_request(Net::HTTP::Get, file_url, options)
+        response = ::Import::Clients::HTTP.get(file_url, options)
 
         download_url = if response.redirection?
                          response.headers[:location]
diff --git a/lib/gitlab/harbor/client.rb b/lib/gitlab/harbor/client.rb
index bd317c53507..a842f501641 100644
--- a/lib/gitlab/harbor/client.rb
+++ b/lib/gitlab/harbor/client.rb
@@ -19,7 +19,7 @@ module Gitlab
 
       def check_project_availability
         options = { headers: headers.merge!(Accept: 'application/json') }
-        response = Gitlab::HTTP.head(url("projects?project_name=#{integration.project_name}"), options)
+        response = Integrations::Clients::HTTP.head(url("projects?project_name=#{integration.project_name}"), options)
 
         { success: response.success? }
       end
@@ -46,7 +46,7 @@ module Gitlab
 
       def get(path, params = {})
         options = { headers: headers, query: params }
-        response = Gitlab::HTTP.get(path, options)
+        response = Integrations::Clients::HTTP.get(path, options)
 
         raise Gitlab::Harbor::Client::Error, 'request error' unless response.success?
 
diff --git a/lib/gitlab/http.rb b/lib/gitlab/http.rb
index cd9248b5fc8..6e1926ba11e 100644
--- a/lib/gitlab/http.rb
+++ b/lib/gitlab/http.rb
@@ -7,6 +7,8 @@ module Gitlab
     ReadTotalTimeout = Gitlab::HTTP_V2::ReadTotalTimeout
     HeaderReadTimeout = Gitlab::HTTP_V2::HeaderReadTimeout
     SilentModeBlockedError = Gitlab::HTTP_V2::SilentModeBlockedError
+    ResponseSizeTooLarge = Gitlab::HTTP_V2::ResponseSizeTooLarge
+    MaxDecompressionSizeError = Gitlab::HTTP_V2::MaxDecompressionSizeError
 
     HTTP_TIMEOUT_ERRORS = Gitlab::HTTP_V2::HTTP_TIMEOUT_ERRORS
     HTTP_ERRORS = Gitlab::HTTP_V2::HTTP_ERRORS
@@ -50,6 +52,22 @@ module Gitlab
         ::Gitlab::HTTP_V2.public_send(method_name, path, http_v2_options(options), &block) # rubocop:disable GitlabSecurity/PublicSend -- method is validated to make sure it is one of the methods in Gitlab::HTTP_V2::SUPPORTED_HTTP_METHODS
       end
 
+      # Disables the decompression limit validation for the duration of the given block.
+      #
+      # SECURITY WARNING: Only use this method for requests to trusted web servers that are not
+      # user-controlled. For requests to user-controlled servers, set `accept-encoding: identity`
+      # in the request headers to request the source server not return a compressed response.
+      def without_decompression_limit
+        return yield unless Gitlab::SafeRequestStore.active?
+
+        begin
+          Gitlab::SafeRequestStore[:disable_net_http_decompression] = true
+          yield
+        ensure
+          Gitlab::SafeRequestStore[:disable_net_http_decompression] = false
+        end
+      end
+
       private
 
       def http_v2_options(options)
diff --git a/lib/gitlab/jira/http_client.rb b/lib/gitlab/jira/http_client.rb
index 2b8b01e2023..8b99c31e34f 100644
--- a/lib/gitlab/jira/http_client.rb
+++ b/lib/gitlab/jira/http_client.rb
@@ -46,7 +46,7 @@ module Gitlab
           request_params[:write_timeout]
         ].max
 
-        result = Gitlab::HTTP.public_send(http_method, path, **request_params) # rubocop:disable GitlabSecurity/PublicSend
+        result = Integrations::Clients::HTTP.public_send(http_method, path, **request_params) # rubocop:disable GitlabSecurity/PublicSend
         @authenticated = result.response.is_a?(Net::HTTPOK)
         store_cookies(result) if options[:use_cookies]
 
diff --git a/lib/gitlab/prometheus_client.rb b/lib/gitlab/prometheus_client.rb
index 9507c0ab186..4cb2155356a 100644
--- a/lib/gitlab/prometheus_client.rb
+++ b/lib/gitlab/prometheus_client.rb
@@ -151,7 +151,7 @@ module Gitlab
     end
 
     def get(path, args)
-      Gitlab::HTTP.get(path, { query: args }.merge(http_options))
+      Integrations::Clients::HTTP.get(path, { query: args }.merge(http_options))
     rescue *Gitlab::HTTP::HTTP_ERRORS => e
       raise PrometheusClient::ConnectionError, e.message
     end
diff --git a/lib/gitlab/slash_commands/verify_request.rb b/lib/gitlab/slash_commands/verify_request.rb
index 41f71064573..3ca8b8ee8c2 100644
--- a/lib/gitlab/slash_commands/verify_request.rb
+++ b/lib/gitlab/slash_commands/verify_request.rb
@@ -31,7 +31,7 @@ module Gitlab
       def update_source_message
         request_body = Gitlab::Json.dump(verified_request_body)
 
-        Gitlab::HTTP.post(response_url, body: request_body, headers: headers)
+        Integrations::Clients::HTTP.post(response_url, body: request_body, headers: headers)
       end
 
       def verified_request_body
diff --git a/lib/gitlab/zentao/client.rb b/lib/gitlab/zentao/client.rb
index d8b4d47707d..6964a2be7a6 100644
--- a/lib/gitlab/zentao/client.rb
+++ b/lib/gitlab/zentao/client.rb
@@ -64,7 +64,7 @@ module Gitlab
 
       def get(path, params = {})
         options = { headers: headers, query: params }
-        response = Gitlab::HTTP.get(url(path), options)
+        response = Integrations::Clients::HTTP.get(url(path), options)
 
         raise RequestError unless response.success?
 
diff --git a/lib/import/clients/http.rb b/lib/import/clients/http.rb
new file mode 100644
index 00000000000..755f4674a78
--- /dev/null
+++ b/lib/import/clients/http.rb
@@ -0,0 +1,51 @@
+# frozen_string_literal: true
+
+module Import
+  module Clients
+    class HTTP
+      class << self
+        def delete(path, options = {}, &block)
+          options[:max_bytes] ||= default_max_bytes
+
+          Gitlab::HTTP.delete(path, options, &block)
+        end
+
+        def head(path, options = {}, &block)
+          options[:max_bytes] ||= default_max_bytes
+
+          Gitlab::HTTP.head(path, options, &block)
+        end
+
+        def get(path, options = {}, &block)
+          options[:max_bytes] ||= default_max_bytes
+
+          Gitlab::HTTP.get(path, options, &block)
+        end
+
+        def post(path, options = {}, &block)
+          options[:max_bytes] ||= default_max_bytes
+
+          Gitlab::HTTP.post(path, options, &block)
+        end
+
+        def put(path, options = {}, &block)
+          options[:max_bytes] ||= default_max_bytes
+
+          Gitlab::HTTP.put(path, options, &block)
+        end
+
+        def try_get(path, options = {}, &block)
+          options[:max_bytes] ||= default_max_bytes
+
+          Gitlab::HTTP.try_get(path, options, &block)
+        end
+
+        private
+
+        def default_max_bytes
+          Gitlab::CurrentSettings.max_http_response_size_limit.megabytes
+        end
+      end
+    end
+  end
+end
diff --git a/lib/integrations/clients/http.rb b/lib/integrations/clients/http.rb
new file mode 100644
index 00000000000..498cb3e208f
--- /dev/null
+++ b/lib/integrations/clients/http.rb
@@ -0,0 +1,51 @@
+# frozen_string_literal: true
+
+module Integrations
+  module Clients
+    class HTTP
+      class << self
+        def delete(path, options = {}, &block)
+          options[:max_bytes] ||= default_max_bytes
+
+          Gitlab::HTTP.delete(path, options, &block)
+        end
+
+        def head(path, options = {}, &block)
+          options[:max_bytes] ||= default_max_bytes
+
+          Gitlab::HTTP.head(path, options, &block)
+        end
+
+        def get(path, options = {}, &block)
+          options[:max_bytes] ||= default_max_bytes
+
+          Gitlab::HTTP.get(path, options, &block)
+        end
+
+        def post(path, options = {}, &block)
+          options[:max_bytes] ||= default_max_bytes
+
+          Gitlab::HTTP.post(path, options, &block)
+        end
+
+        def put(path, options = {}, &block)
+          options[:max_bytes] ||= default_max_bytes
+
+          Gitlab::HTTP.put(path, options, &block)
+        end
+
+        def try_get(path, options = {}, &block)
+          options[:max_bytes] ||= default_max_bytes
+
+          Gitlab::HTTP.try_get(path, options, &block)
+        end
+
+        private
+
+        def default_max_bytes
+          Gitlab::CurrentSettings.max_http_response_size_limit.megabytes
+        end
+      end
+    end
+  end
+end
diff --git a/lib/mattermost/session.rb b/lib/mattermost/session.rb
index a92730b0aae..fa327de3f37 100644
--- a/lib/mattermost/session.rb
+++ b/lib/mattermost/session.rb
@@ -78,19 +78,19 @@ module Mattermost
 
     def get(path, options = {})
       handle_exceptions do
-        Gitlab::HTTP.get(path, build_options(options))
+        Integrations::Clients::HTTP.get(path, build_options(options))
       end
     end
 
     def post(path, options = {})
       handle_exceptions do
-        Gitlab::HTTP.post(path, build_options(options))
+        Integrations::Clients::HTTP.post(path, build_options(options))
       end
     end
 
     def delete(path, options = {})
       handle_exceptions do
-        Gitlab::HTTP.delete(path, build_options(options))
+        Integrations::Clients::HTTP.delete(path, build_options(options))
       end
     end
 
diff --git a/lib/microsoft_teams/notifier.rb b/lib/microsoft_teams/notifier.rb
index dcf9ed4d494..785a4343626 100644
--- a/lib/microsoft_teams/notifier.rb
+++ b/lib/microsoft_teams/notifier.rb
@@ -11,7 +11,7 @@ module MicrosoftTeams
       result = false
 
       begin
-        response = Gitlab::HTTP.post(
+        response = Integrations::Clients::HTTP.post(
           @webhook.to_str,
           headers: @header,
           body: body(**options)
diff --git a/lib/slack/api.rb b/lib/slack/api.rb
index 0775e783337..706da06dad5 100644
--- a/lib/slack/api.rb
+++ b/lib/slack/api.rb
@@ -17,7 +17,7 @@ module Slack
       url = "#{BASE_URL}/#{api_method}"
       headers = BASE_HEADERS.merge('Authorization' => "Bearer #{token}")
 
-      Gitlab::HTTP.post(url, body: payload.to_json, headers: headers)
+      Integrations::Clients::HTTP.post(url, body: payload.to_json, headers: headers)
     end
 
     private
diff --git a/locale/gitlab.pot b/locale/gitlab.pot
index bba7ae149de..84fd4a3f98a 100644
--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@@ -3971,6 +3971,9 @@ msgstr ""
 msgid "AdherenceReport|There was an error loading adherence report."
 msgstr ""
 
+msgid "AdherenceReport|To show a status here, you must %{linkStart}create a compliance framework with requirements and controls%{linkEnd} and apply it to projects in this group. New frameworks can take a few minutes to appear."
+msgstr ""
+
 msgid "AdherenceReport|We are replacing the standards adherence report with the compliance status report, which includes new features to enhance your compliance workflow."
 msgstr ""
 
@@ -40016,10 +40019,10 @@ msgstr ""
 msgid "Must start with letter, digit, emoji, or underscore. Can also contain periods, dashes, spaces, and parentheses."
 msgstr ""
 
-msgid "My awesome group"
+msgid "My company or team"
 msgstr ""
 
-msgid "My company or team"
+msgid "My group"
 msgstr ""
 
 msgid "My reaction"
@@ -43110,9 +43113,6 @@ msgstr ""
 msgid "Organization|Change organization URL"
 msgstr ""
 
-msgid "Organization|Changing an organization's URL can have unintended side effects."
-msgstr ""
-
 msgid "Organization|Choose organization visibility level."
 msgstr ""
 
@@ -43240,7 +43240,7 @@ msgid_plural "Organization|Organizations must have at least one owner. To delete
 msgstr[0] ""
 msgstr[1] ""
 
-msgid "Organization|Perform advanced options such as deleting the organization."
+msgid "Organization|Perform advanced options such as changing the organization URL."
 msgstr ""
 
 msgid "Organization|Private - The organization can only be viewed by members."
@@ -43279,7 +43279,7 @@ msgstr ""
 msgid "Organization|Unable to fetch organizations. Reload the page to try again."
 msgstr ""
 
-msgid "Organization|Update your organization name, description, and avatar."
+msgid "Organization|Update your organization name, description, and avatar. %{linkStart}Learn more about organizations%{linkEnd}."
 msgstr ""
 
 msgid "Organization|View all"
@@ -47764,6 +47764,9 @@ msgstr ""
 msgid "Project %{code_open}%{source_project}%{code_close} has more restricted access settings than %{code_open}%{target_project}%{code_close}. To avoid exposing private changes, make sure you're submitting changes to the correct project."
 msgstr ""
 
+msgid "Project %{project_name} and framework are not from same namespace."
+msgstr ""
+
 msgid "Project %{project_repo} could not be found"
 msgstr ""
 
@@ -47965,6 +47968,9 @@ msgstr ""
 msgid "Project was not found or you do not have permission to add this project to Security Dashboards."
 msgstr ""
 
+msgid "Project with ID %{project_id} not found"
+msgstr ""
+
 msgid "Project:Branches: %{source_project_path}:%{source_branch} to %{target_project_path}:%{target_branch}"
 msgstr ""
 
@@ -49132,7 +49138,7 @@ msgstr ""
 msgid "ProjectsNewEdit|Must start with a letter, digit, emoji, or underscore. Can also contain periods, dashes, spaces, and parentheses."
 msgstr ""
 
-msgid "ProjectsNewEdit|My awesome project"
+msgid "ProjectsNewEdit|My project"
 msgstr ""
 
 msgid "ProjectsNewEdit|Project description"
@@ -49284,7 +49290,7 @@ msgstr ""
 msgid "ProjectsNew|Must start with a lowercase or uppercase letter, digit, emoji, or underscore. Can also contain dots, pluses, dashes, or spaces."
 msgstr ""
 
-msgid "ProjectsNew|My awesome project"
+msgid "ProjectsNew|My project"
 msgstr ""
 
 msgid "ProjectsNew|New project"
@@ -70841,9 +70847,6 @@ msgstr ""
 msgid "Workspaces|If your devfile is not in the root directory of your project, specify a relative path."
 msgstr ""
 
-msgid "Workspaces|In order to make an agent available/blocked, workspaces must be enabled in the agent's configuration."
-msgstr ""
-
 msgid "Workspaces|Instant development environments"
 msgstr ""
 
@@ -70928,6 +70931,9 @@ msgstr ""
 msgid "Workspaces|This agent is already allowed."
 msgstr ""
 
+msgid "Workspaces|This agent is already available."
+msgstr ""
+
 msgid "Workspaces|This agent is already blocked."
 msgstr ""
 
diff --git a/spec/controllers/concerns/rapid_diffs/streaming_resource_spec.rb b/spec/controllers/concerns/rapid_diffs/streaming_resource_spec.rb
index b5213f7b666..64a9082b688 100644
--- a/spec/controllers/concerns/rapid_diffs/streaming_resource_spec.rb
+++ b/spec/controllers/concerns/rapid_diffs/streaming_resource_spec.rb
@@ -53,12 +53,12 @@ RSpec.describe RapidDiffs::StreamingResource, type: :controller, feature_categor
     let(:controller_instance) { controller.new }
     let(:mock_resource) { instance_double(::Commit) }
     let(:mock_diffs) { instance_double(Gitlab::Diff::FileCollection::Commit, diff_files: diff_files) }
-    let(:diff_files) { [{}] }
+    let(:diff_files) { [build(:diff_file)] }
     let(:stream) { instance_double(ActionDispatch::Response::Buffer, write: nil, close: nil) }
     let(:response) { instance_double(ActionDispatch::Response, stream: stream) }
 
     let(:empty_state_html) { '<empty-state>No changes</empty-state>' }
-    let(:diffs_html) { '<diffs></diffs>' }
+    let(:diff_html) { '<diff-file></diff-file>' }
 
     before do
       allow(controller_instance).to receive_messages(
@@ -72,16 +72,37 @@ RSpec.describe RapidDiffs::StreamingResource, type: :controller, feature_categor
       allow(mock_resource).to receive(:diffs_for_streaming).and_return(mock_diffs)
       allow(mock_resource).to receive(:first_diffs_slice).with(1, any_args).and_return(diff_files)
       allow(RapidDiffs::DiffFileComponent).to receive_message_chain(:with_collection, :render_in)
-        .and_return(diffs_html)
+        .and_return(diff_html)
+      allow(RapidDiffs::DiffFileComponent).to receive_message_chain(:new, :call)
+        .and_return(diff_html)
+      allow(RapidDiffs::DiffFileComponent).to receive_message_chain(:new, :render_in)
+        .and_return(diff_html)
     end
 
     it 'renders diffs' do
       controller_instance.send(:diffs)
-      expect(response.stream).to have_received(:write).with(diffs_html)
+      expect(response.stream).to have_received(:write).with(diff_html)
       # ensure we're not doing double work when checking for empty state
       expect(mock_resource).to have_received(:diffs_for_streaming).once
     end
 
+    context 'with non-sequential collapsed diffs' do
+      let(:diff_files) do
+        collapsed_diff = build(:diff_file)
+        expanded_diff = build(:diff_file)
+        allow(collapsed_diff).to receive(:no_preview?).and_return(true)
+        allow(expanded_diff).to receive(:no_preview?).and_return(false)
+        [expanded_diff, collapsed_diff, expanded_diff, collapsed_diff]
+      end
+
+      it 'renders diffs' do
+        controller_instance.send(:diffs)
+        expect(response.stream).to have_received(:write).with(diff_html).exactly(diff_files.count).times
+        # ensure we're not doing double work when checking for empty state
+        expect(mock_resource).to have_received(:diffs_for_streaming).once
+      end
+    end
+
     context 'when no diffs and no offset' do
       let(:diff_files) { [] }
 
@@ -104,7 +125,7 @@ RSpec.describe RapidDiffs::StreamingResource, type: :controller, feature_categor
 
       it 'renders diffs' do
         controller_instance.send(:diffs)
-        expect(response.stream).to have_received(:write).with(diffs_html)
+        expect(response.stream).to have_received(:write).with(diff_html)
       end
     end
   end
diff --git a/spec/controllers/glql/base_controller_spec.rb b/spec/controllers/glql/base_controller_spec.rb
index f8d2c1c3cd8..d9f30532c56 100644
--- a/spec/controllers/glql/base_controller_spec.rb
+++ b/spec/controllers/glql/base_controller_spec.rb
@@ -177,21 +177,6 @@ RSpec.describe Glql::BaseController, feature_category: :integrations do
 
   describe '#append_info_to_payload' do
     let(:log_payload) { {} }
-    let(:expected_logs) do
-      [
-        {
-          operation_name: 'GLQL',
-          complexity: 1,
-          depth: 1,
-          used_deprecated_arguments: [],
-          used_deprecated_fields: [],
-          used_fields: ['Query.__typename'],
-          variables: '{}',
-          glql_referer: 'path',
-          glql_query_sha: query_sha
-        }
-      ]
-    end
 
     before do
       RequestStore.clear!
@@ -203,11 +188,51 @@ RSpec.describe Glql::BaseController, feature_category: :integrations do
       end
     end
 
-    it 'appends glql-related metadata for logging' do
-      execute_request
+    context 'when GraphQL execution succeeds' do
+      let(:expected_logs) do
+        [
+          {
+            operation_name: 'GLQL',
+            complexity: 1,
+            depth: 1,
+            used_deprecated_arguments: [],
+            used_deprecated_fields: [],
+            used_fields: ['Query.__typename'],
+            variables: '{}',
+            glql_referer: 'path',
+            glql_query_sha: query_sha
+          }
+        ]
+      end
 
-      expect(controller).to have_received(:append_info_to_payload)
-      expect(log_payload.dig(:metadata, :graphql)).to match_array(expected_logs)
+      it 'appends glql-related metadata for logging' do
+        execute_request
+
+        expect(controller).to have_received(:append_info_to_payload)
+        expect(log_payload.dig(:metadata, :graphql)).to match_array(expected_logs)
+      end
+    end
+
+    context 'when GraphQL execution fails' do
+      let(:expected_error_logs) do
+        [
+          {
+            glql_referer: 'path',
+            glql_query_sha: query_sha
+          }
+        ]
+      end
+
+      it 'still appends glql-related metadata for logging' do
+        allow(controller).to receive(:execute) do
+          raise ActiveRecord::QueryAborted
+        end
+
+        execute_request
+
+        expect(controller).to have_received(:append_info_to_payload)
+        expect(log_payload.dig(:metadata, :graphql)).to match_array(expected_error_logs)
+      end
     end
   end
 
diff --git a/spec/controllers/groups/dependency_proxy_for_containers_controller_spec.rb b/spec/controllers/groups/dependency_proxy_for_containers_controller_spec.rb
index a037ddc177f..bb275f85a61 100644
--- a/spec/controllers/groups/dependency_proxy_for_containers_controller_spec.rb
+++ b/spec/controllers/groups/dependency_proxy_for_containers_controller_spec.rb
@@ -89,22 +89,19 @@ RSpec.describe Groups::DependencyProxyForContainersController, feature_category:
     end
 
     context 'with revoked deploy token' do
-      let_it_be(:user) { create(:deploy_token, :revoked, :group, :dependency_proxy_scopes) }
-      let_it_be(:group_deploy_token) { create(:group_deploy_token, deploy_token: user, group: group) }
+      let_it_be(:user) { create(:deploy_token, :revoked, :group, :dependency_proxy_scopes, groups: [group]) }
 
       it { is_expected.to have_gitlab_http_status(:unauthorized) }
     end
 
     context 'with expired deploy token' do
-      let_it_be(:user) { create(:deploy_token, :expired, :group, :dependency_proxy_scopes) }
-      let_it_be(:group_deploy_token) { create(:group_deploy_token, deploy_token: user, group: group) }
+      let_it_be(:user) { create(:deploy_token, :expired, :group, :dependency_proxy_scopes, groups: [group]) }
 
       it { is_expected.to have_gitlab_http_status(:unauthorized) }
     end
 
     context 'with deploy token with insufficient scopes' do
-      let_it_be(:user) { create(:deploy_token, :group) }
-      let_it_be(:group_deploy_token) { create(:group_deploy_token, deploy_token: user, group: group) }
+      let_it_be(:user) { create(:deploy_token, :group, groups: [group]) }
 
       it { is_expected.to have_gitlab_http_status(:not_found) }
     end
@@ -198,8 +195,7 @@ RSpec.describe Groups::DependencyProxyForContainersController, feature_category:
     end
 
     context 'with a deploy token' do
-      let_it_be(:user) { create(:deploy_token, :dependency_proxy_scopes, :group) }
-      let_it_be(:group_deploy_token) { create(:group_deploy_token, deploy_token: user, group: group) }
+      let_it_be(:user) { create(:deploy_token, :dependency_proxy_scopes, :group, groups: [group]) }
 
       it_behaves_like 'sends Workhorse instructions'
     end
@@ -415,18 +411,14 @@ RSpec.describe Groups::DependencyProxyForContainersController, feature_category:
       end
 
       context 'a valid deploy token' do
-        let_it_be(:user) { create(:deploy_token, :dependency_proxy_scopes, :group) }
-        let_it_be(:group_deploy_token) { create(:group_deploy_token, deploy_token: user, group: group) }
+        let_it_be(:user) { create(:deploy_token, :dependency_proxy_scopes, :group, groups: [group]) }
 
         it_behaves_like 'a successful manifest pull'
 
         context 'pulling from a subgroup' do
           let_it_be_with_reload(:parent_group) { create(:group) }
           let_it_be_with_reload(:group) { create(:group, parent: parent_group) }
-
-          before do
-            group_deploy_token.update_column(:group_id, parent_group.id)
-          end
+          let_it_be(:user) { create(:deploy_token, :dependency_proxy_scopes, :group, groups: [parent_group]) }
 
           it_behaves_like 'a successful manifest pull'
         end
@@ -536,18 +528,14 @@ RSpec.describe Groups::DependencyProxyForContainersController, feature_category:
       end
 
       context 'a valid deploy token' do
-        let_it_be(:user) { create(:deploy_token, :group, :dependency_proxy_scopes) }
-        let_it_be(:group_deploy_token) { create(:group_deploy_token, deploy_token: user, group: group) }
+        let_it_be(:user) { create(:deploy_token, :group, :dependency_proxy_scopes, groups: [group]) }
 
         it_behaves_like 'a successful blob pull'
 
         context 'pulling from a subgroup' do
           let_it_be_with_reload(:parent_group) { create(:group) }
           let_it_be_with_reload(:group) { create(:group, parent: parent_group) }
-
-          before do
-            group_deploy_token.update_column(:group_id, parent_group.id)
-          end
+          let_it_be(:user) { create(:deploy_token, :group, :dependency_proxy_scopes, groups: [parent_group]) }
 
           it_behaves_like 'a successful blob pull'
         end
diff --git a/spec/controllers/projects_controller_spec.rb b/spec/controllers/projects_controller_spec.rb
index 822f165584c..7f0c3cea273 100644
--- a/spec/controllers/projects_controller_spec.rb
+++ b/spec/controllers/projects_controller_spec.rb
@@ -459,6 +459,39 @@ RSpec.describe ProjectsController, feature_category: :groups_and_projects do
       end
     end
 
+    context 'redirection from http://someproject?format=git' do
+      let_it_be_with_reload(:public_project) { create(:project, :public) }
+
+      context 'with git in project path' do
+        before do
+          public_project.update!(path: 'my.gitlab')
+
+          request.env['PATH_INFO'] = "/#{public_project.namespace.path}/#{public_project.path}"
+          request.env['QUERY_STRING'] = 'format=git'
+        end
+
+        it 'does not trigger a redirect' do
+          get :show,
+            params: { namespace_id: public_project.namespace.path, id: public_project.path },
+            format: :git
+
+          expect(response).to have_gitlab_http_status(:not_found)
+          expect(response).not_to redirect_to(project_path(public_project))
+        end
+      end
+
+      context 'with git not in project path' do
+        it 'does trigger a redirect' do
+          get :show,
+            params: { namespace_id: public_project.namespace.path, id: public_project.path },
+            format: :git
+
+          expect(response).to have_gitlab_http_status(:found)
+          expect(response).to redirect_to(project_path(public_project))
+        end
+      end
+    end
+
     context 'when project is moved and git format is requested' do
       let(:old_path) { project.path + 'old' }
 
diff --git a/spec/factories/deploy_tokens.rb b/spec/factories/deploy_tokens.rb
index 0c6638404c0..704e74d020b 100644
--- a/spec/factories/deploy_tokens.rb
+++ b/spec/factories/deploy_tokens.rb
@@ -12,6 +12,12 @@ FactoryBot.define do
     revoked { false }
     expires_at { 5.days.from_now.to_datetime }
     deploy_token_type { DeployToken.deploy_token_types[:project_type] }
+    projects { [association(:project)] }
+
+    before(:create) do |record|
+      record.project_id ||= record.project&.id
+      record.group_id ||= record.group&.id
+    end
 
     trait :revoked do
       revoked { true }
@@ -27,6 +33,8 @@ FactoryBot.define do
 
     trait :group do
       deploy_token_type { DeployToken.deploy_token_types[:group_type] }
+      projects { [] }
+      groups { [association(:group)] }
     end
 
     trait :project do
diff --git a/spec/features/groups/dependency_proxy_for_containers_spec.rb b/spec/features/groups/dependency_proxy_for_containers_spec.rb
index 13fb99d7717..8fc3eccaca6 100644
--- a/spec/features/groups/dependency_proxy_for_containers_spec.rb
+++ b/spec/features/groups/dependency_proxy_for_containers_spec.rb
@@ -110,19 +110,15 @@ RSpec.describe 'Group Dependency Proxy for containers', :js, feature_category: :
       end
 
       context 'with a group deploy token' do
-        before do
-          create(:group_deploy_token, group: group, deploy_token: deploy_token)
-        end
-
         context 'with sufficient scopes' do
-          let_it_be(:deploy_token) { create(:deploy_token, :group, :dependency_proxy_scopes) }
+          let_it_be(:deploy_token) { create(:deploy_token, :group, :dependency_proxy_scopes, groups: [group]) }
           let_it_be(:headers) { { 'Authorization' => "Bearer #{build_jwt(deploy_token).encoded}" } }
 
           it_behaves_like 'responds with the file'
         end
 
         context 'with insufficient scopes' do
-          let_it_be(:deploy_token) { create(:deploy_token, :group) }
+          let_it_be(:deploy_token) { create(:deploy_token, :group, groups: [group]) }
           let_it_be(:headers) { { 'Authorization' => "Bearer #{build_jwt(deploy_token).encoded}" } }
 
           it_behaves_like 'returns not found'
diff --git a/spec/finders/concerns/packages/finder_helper_spec.rb b/spec/finders/concerns/packages/finder_helper_spec.rb
index b8696cbe500..679ffae6a3b 100644
--- a/spec/finders/concerns/packages/finder_helper_spec.rb
+++ b/spec/finders/concerns/packages/finder_helper_spec.rb
@@ -96,8 +96,7 @@ RSpec.describe ::Packages::FinderHelper, feature_category: :package_registry do
     end
 
     context 'with a deploy token' do
-      let_it_be(:user) { create(:deploy_token, :group, read_package_registry: true) }
-      let_it_be(:group_deploy_token) { create(:group_deploy_token, deploy_token: user, group: group) }
+      let_it_be(:user) { create(:deploy_token, :group, read_package_registry: true, groups: [group.reload]) }
 
       where(:group_visibility, :subgroup_visibility, :shared_example_name) do
         'public'  | 'public'  | 'returning both packages'
@@ -245,8 +244,7 @@ RSpec.describe ::Packages::FinderHelper, feature_category: :package_registry do
       end
 
       context 'with a group deploy token' do
-        let_it_be(:user) { create(:deploy_token, :group, read_package_registry: true) }
-        let_it_be(:group_deploy_token) { create(:group_deploy_token, deploy_token: user, group: group) }
+        let_it_be(:user) { create(:deploy_token, :group, read_package_registry: true, groups: [group.reload]) }
 
         where(:group_visibility, :subgroup_visibility, :project2_visibility, :shared_example_name) do
           'PUBLIC'  | 'PUBLIC'  | 'PUBLIC'  | 'returning both packages'
@@ -324,8 +322,7 @@ RSpec.describe ::Packages::FinderHelper, feature_category: :package_registry do
     end
 
     shared_examples 'handles a group deploy token' do
-      let_it_be(:user) { create(:deploy_token, :group, read_package_registry: true) }
-      let_it_be(:group_deploy_token) { create(:group_deploy_token, deploy_token: user, group: group) }
+      let_it_be(:user) { create(:deploy_token, :group, read_package_registry: true, groups: [group.reload]) }
 
       before do
         project2.update!(visibility_level: Gitlab::VisibilityLevel.const_get('PRIVATE', false))
diff --git a/spec/finders/packages/group_packages_finder_spec.rb b/spec/finders/packages/group_packages_finder_spec.rb
index 9690d124f16..7125f29f2c2 100644
--- a/spec/finders/packages/group_packages_finder_spec.rb
+++ b/spec/finders/packages/group_packages_finder_spec.rb
@@ -146,8 +146,7 @@ RSpec.describe Packages::GroupPackagesFinder, feature_category: :package_registr
           let(:add_user_to_group) { false }
 
           context 'group deploy token' do
-            let_it_be(:deploy_token_for_group) { create(:deploy_token, :group, read_package_registry: true) }
-            let_it_be(:group_deploy_token) { create(:group_deploy_token, deploy_token: deploy_token_for_group, group: group) }
+            let_it_be(:deploy_token_for_group) { create(:deploy_token, :group, read_package_registry: true, groups: [group.reload]) }
 
             let(:user) { deploy_token_for_group }
 
@@ -159,8 +158,7 @@ RSpec.describe Packages::GroupPackagesFinder, feature_category: :package_registr
           end
 
           context 'project deploy token' do
-            let_it_be(:deploy_token_for_project) { create(:deploy_token, read_package_registry: true) }
-            let_it_be(:project_deploy_token) { create(:project_deploy_token, deploy_token: deploy_token_for_project, project: subproject) }
+            let_it_be(:deploy_token_for_project) { create(:deploy_token, read_package_registry: true, projects: [subproject]) }
 
             let(:user) { deploy_token_for_project }
 
diff --git a/spec/frontend/behaviors/components/json_table_spec.js b/spec/frontend/behaviors/components/json_table_spec.js
index 3277e58669a..5a5c6e7bb67 100644
--- a/spec/frontend/behaviors/components/json_table_spec.js
+++ b/spec/frontend/behaviors/components/json_table_spec.js
@@ -1,8 +1,5 @@
 import { GlTable, GlFormInput } from '@gitlab/ui';
-import { nextTick } from 'vue';
-import { merge } from 'lodash';
-import { shallowMountExtended, mountExtended } from 'helpers/vue_test_utils_helper';
-import { stubComponent, RENDER_ALL_SLOTS_TEMPLATE } from 'helpers/stub_component';
+import { mountExtended } from 'helpers/vue_test_utils_helper';
 import JSONTable from '~/behaviors/components/json_table.vue';
 
 const TEST_FIELDS = [
@@ -30,38 +27,24 @@ describe('behaviors/components/json_table', () => {
   let wrapper;
 
   const buildWrapper = ({
-    fields = [],
-    items = [],
+    fields = ['A'],
+    items = [{ A: 'Foo bar' }],
     filter = undefined,
     caption = undefined,
+    isHtmlSafe = false,
   } = {}) => {
-    wrapper = shallowMountExtended(JSONTable, {
+    wrapper = mountExtended(JSONTable, {
       propsData: {
         fields,
         items,
         hasFilter: filter,
         caption,
-      },
-      stubs: {
-        GlTable: merge(stubComponent(GlTable), {
-          props: {
-            fields: {
-              type: Array,
-              required: true,
-            },
-            items: {
-              type: Array,
-              required: true,
-            },
-          },
-          template: RENDER_ALL_SLOTS_TEMPLATE,
-        }),
+        isHtmlSafe,
       },
     });
   };
 
   const findTable = () => wrapper.findComponent(GlTable);
-  const findTableCaption = () => wrapper.findByTestId('slot-table-caption');
   const findFilterInput = () => wrapper.findComponent(GlFormInput);
 
   describe('default', () => {
@@ -69,15 +52,9 @@ describe('behaviors/components/json_table', () => {
       buildWrapper();
     });
 
-    it('renders gltable', () => {
-      expect(findTable().props()).toMatchObject({
-        fields: [],
-        items: [],
-      });
-      expect(findTable().attributes()).toMatchObject({
-        filter: '',
-        'show-empty': '',
-      });
+    it('renders a GLTable', () => {
+      expect(findTable().props()).toMatchObject({ fields: ['A'] });
+      expect(findTable().html()).toContain('Foo bar');
     });
 
     it('does not render filter input', () => {
@@ -85,7 +62,7 @@ describe('behaviors/components/json_table', () => {
     });
 
     it('renders caption', () => {
-      expect(findTableCaption().text()).toBe('Generated with JSON data');
+      expect(findTable().text()).toContain('Generated with JSON data');
     });
   });
 
@@ -97,22 +74,23 @@ describe('behaviors/components/json_table', () => {
     });
 
     it('renders filter input', () => {
-      expect(findFilterInput().attributes()).toMatchObject({
+      expect(findFilterInput().props()).toMatchObject({
         value: '',
         placeholder: 'Type to search',
       });
     });
 
     it('when input is changed, updates table filter', async () => {
-      findFilterInput().vm.$emit('input', 'New value!');
+      await findFilterInput().vm.$emit('input', 'New value!');
 
-      await nextTick();
-
-      expect(findTable().attributes('filter')).toBe('New value!');
+      expect(findFilterInput().props()).toMatchObject({
+        placeholder: 'Type to search',
+        value: 'New value!',
+      });
     });
   });
 
-  describe('with fields', () => {
+  describe('with multiple fields', () => {
     beforeEach(() => {
       buildWrapper({
         fields: TEST_FIELDS,
@@ -138,24 +116,39 @@ describe('behaviors/components/json_table', () => {
           },
           'D',
         ],
-        items: TEST_ITEMS,
       });
+
+      const html = findTable().html();
+
+      expect(html).toContain('lorem');
+      expect(html).toContain('ipsum');
+      expect(html).toContain('dolar');
     });
   });
 
-  describe('with full mount', () => {
+  describe('with HTML content', () => {
     beforeEach(() => {
-      wrapper = mountExtended(JSONTable, {
-        propsData: {
-          fields: [],
-          items: [],
-        },
+      buildWrapper({
+        fields: ['AB'],
+        items: [
+          { AB: '<div class="malicious-class" style="position:fixed;">Cell</div>' },
+          { AB: '<div class="malicious-class" style="position:fixed;">Cell</div>' },
+        ],
+        isHtmlSafe: true,
+        caption: `loading ... <i class="js-toggle-container"><i class='js-toggle-lazy-diff file-holder diff-content' style='position:fixed;top:0px;left:0px;right:0px;bottom:0px' data-lines-path='https://gitlab.com/-/snippets/4789748/raw/main/alert.json'> <table><tbody></tbody></table></i>`,
       });
     });
 
-    // We want to make sure all the props are passed down nicely in integration
-    it('renders table without errors', () => {
-      expect(findTable().exists()).toBe(true);
+    it('sanitizes caption and cell HTML by removing class and style attributes', () => {
+      const tableHtml = findTable().html();
+
+      expect(tableHtml).toContain('loading');
+      expect(tableHtml).toContain('Cell');
+
+      expect(tableHtml).not.toContain('i class=');
+      expect(tableHtml).not.toContain('style=');
+      expect(tableHtml).not.toContain('class="malicious-class"');
+      expect(tableHtml).not.toContain('style="position:fixed;"');
     });
   });
 });
diff --git a/spec/frontend/behaviors/markdown/render_json_table_spec.js b/spec/frontend/behaviors/markdown/render_json_table_spec.js
index c2d0e2c66c7..007cd7cbfd2 100644
--- a/spec/frontend/behaviors/markdown/render_json_table_spec.js
+++ b/spec/frontend/behaviors/markdown/render_json_table_spec.js
@@ -121,6 +121,33 @@ describe('behaviors/markdown/render_json_table', () => {
         expect(findInputs()).toHaveLength(1);
       });
     });
+
+    describe('with isHtmlSafe set in userData', () => {
+      beforeEach(async () => {
+        const maliciousData = {
+          fields: [{ key: 'content', label: 'Content' }],
+          items: [{ content: '<div class="malicious" style="position:fixed;">XSS attempt</div>' }],
+          isHtmlSafe: true, // This should be ignored
+          caption: '<div class="malicious-caption" style="position:fixed;">XSS caption</div>',
+        };
+
+        await createTestSubject(JSON.stringify(maliciousData));
+      });
+
+      it('ignores isHtmlSafe from userData and sanitizes HTML', () => {
+        const tables = findTables();
+        expect(tables).toHaveLength(1);
+
+        const cellHtml = tables[0].querySelector('tbody td').innerHTML;
+        expect(cellHtml).toEqual(
+          '&lt;div class="malicious" style="position:fixed;"&gt;XSS attempt&lt;/div&gt;',
+        );
+
+        expect(findCaption().outerHTML).toEqual(
+          '<caption><small>&lt;div class="malicious-caption" style="position:fixed;"&gt;XSS caption&lt;/div&gt;</small></caption>',
+        );
+      });
+    });
   });
 
   describe('markdown JSON table', () => {
diff --git a/spec/frontend/organizations/settings/general/components/change_url_spec.js b/spec/frontend/organizations/settings/general/components/change_url_spec.js
index f8a7fae12ed..dd458fd0da7 100644
--- a/spec/frontend/organizations/settings/general/components/change_url_spec.js
+++ b/spec/frontend/organizations/settings/general/components/change_url_spec.js
@@ -66,16 +66,6 @@ describe('ChangeUrl', () => {
     expect(findOrganizationUrlField().exists()).toBe(true);
   });
 
-  it('disables submit button until `Organization URL` field is changed', async () => {
-    createComponent();
-
-    expect(findSubmitButton().props('disabled')).toBe(true);
-
-    await findOrganizationUrlField().setValue('foo-bar-baz');
-
-    expect(findSubmitButton().props('disabled')).toBe(false);
-  });
-
   describe('when form is submitted', () => {
     it('requires `Organization URL` field', async () => {
       createComponent();
diff --git a/spec/frontend/organizations/settings/general/components/organization_settings_spec.js b/spec/frontend/organizations/settings/general/components/organization_settings_spec.js
index 3b4340389fb..23c1cb17303 100644
--- a/spec/frontend/organizations/settings/general/components/organization_settings_spec.js
+++ b/spec/frontend/organizations/settings/general/components/organization_settings_spec.js
@@ -1,5 +1,6 @@
 import VueApollo from 'vue-apollo';
 import Vue, { nextTick } from 'vue';
+import { GlSprintf } from '@gitlab/ui';
 
 import organizationUpdateResponse from 'test_fixtures/graphql/organizations/organization_update.mutation.graphql.json';
 import organizationUpdateResponseWithErrors from 'test_fixtures/graphql/organizations/organization_update.mutation.graphql_with_errors.json';
@@ -14,6 +15,7 @@ import {
   FORM_FIELD_DESCRIPTION,
 } from '~/organizations/shared/constants';
 import FormErrorsAlert from '~/organizations/shared/components/errors_alert.vue';
+import HelpPageLink from '~/vue_shared/components/help_page_link/help_page_link.vue';
 import organizationUpdateMutation from '~/organizations/settings/general/graphql/mutations/organization_update.mutation.graphql';
 import { createAlert } from '~/alert';
 import { visitUrlWithAlerts } from '~/lib/utils/url_utility';
@@ -65,10 +67,12 @@ describe('OrganizationSettings', () => {
       provide: { ...defaultProvide, ...provide },
       propsData: { ...defaultPropsData, ...propsData },
       apolloProvider: mockApollo,
+      stubs: { GlSprintf },
     });
   };
 
   const findForm = () => wrapper.findComponent(NewEditForm);
+  const findHelpPageLink = () => wrapper.findComponent(HelpPageLink);
   const submitForm = async (data = {}) => {
     findForm().vm.$emit('submit', {
       name: 'Foo bar',
@@ -88,11 +92,10 @@ describe('OrganizationSettings', () => {
     mockApollo = null;
   });
 
-  it('renders settings block with correct props', () => {
-    expect(findSettingsBlock().props()).toEqual({
-      title: 'Organization settings',
-      ...defaultPropsData,
-    });
+  it('renders settings block with correct props and link to docs', () => {
+    expect(wrapper.findComponent(SettingsBlock).exists()).toBe(true);
+    expect(findHelpPageLink().text()).toBe('Learn more about organizations');
+    expect(findHelpPageLink().props('href')).toBe('user/organization/_index.md');
   });
 
   it('renders form with correct props', () => {
diff --git a/spec/frontend/search/results/components/blob_header_spec.js b/spec/frontend/search/results/components/blob_header_spec.js
index 79954710281..c9fc896d036 100644
--- a/spec/frontend/search/results/components/blob_header_spec.js
+++ b/spec/frontend/search/results/components/blob_header_spec.js
@@ -114,4 +114,101 @@ describe('BlobHeader', () => {
       expect(trackEventSpy).toHaveBeenCalledWith(event, {}, undefined);
     });
   });
+
+  describe('path sanitization', () => {
+    const maliciousFilePaths = [
+      '<a href=#>malicious.js</a>',
+      '<a href=# onclick="alert(1)">file.js</a>',
+      "<a href=#><div class=js-new-user-signups-cap-reached data-dismiss-endpoint='/api/v4/user/emails?email=attacker123@test.se' data-defer-links=false data-feature-id=1><button class='js-close fixed-top gl-h-full gl-w-full'>Cloud Flare check you are human</button></div></a>",
+      '\\u003cdiv\\u003emalicious.js\\u003c/div\\u003e',
+      "\u003cdiv class=js-new-user-signups-cap-reached data-dismiss-endpoint='/api/v4/user/emails?email=attacker123@test.se' data-defer-links=false data-feature-id=1\u003e\u003cbutton class='js-close fixed-top gl-h-full gl-w-full'\u003eCloud Flare check you are human\u003c/button\u003e\u003c/div\u003e",
+    ];
+
+    it.each(maliciousFilePaths)('sanitizes malicious file path: %s', (filePath) => {
+      createComponent({
+        filePath,
+        projectPath: 'Testjs/Test',
+        fileUrl: 'https://gitlab.com/test/file.js',
+        systemColorScheme: 'gl-light',
+      });
+
+      const fileNameContent = findProjectName();
+      expect(fileNameContent.exists()).toBe(true);
+      expect(fileNameContent.text()).not.toContain('<script>');
+      expect(fileNameContent.text()).not.toContain('onclick');
+      expect(fileNameContent.text()).not.toContain('<button>');
+      expect(fileNameContent.text()).not.toContain('data-');
+    });
+
+    it('passes sanitized path to clipboard button', () => {
+      const maliciousPath = '<script>alert("XSS")</b>innocent.js';
+
+      createComponent({
+        filePath: maliciousPath,
+        projectPath: 'Testjs/Test',
+        fileUrl: 'https://gitlab.com/test/file.js',
+        systemColorScheme: 'gl-light',
+      });
+
+      expect(findClipboardButton().props('text')).toBe(maliciousPath);
+      expect(findClipboardButton().props('gfm')).not.toContain('<script>');
+    });
+  });
+
+  describe('highlighting with search query', () => {
+    it('applies highlighting when search term is in file path', () => {
+      const filePath = 'folder/searchTerm/file.js';
+
+      createComponent(
+        {
+          filePath,
+          projectPath: 'Testjs/Test',
+          fileUrl: 'https://gitlab.com/test/file.js',
+          systemColorScheme: 'gl-light',
+        },
+        { query: { search: 'searchTerm' } },
+      );
+      const fileNameContent = findProjectName().html();
+      expect(fileNameContent).toContain('<span class="highlight-search-term');
+      expect(fileNameContent).toContain('searchTerm');
+    });
+
+    it('does not apply highlighting for potential regex patterns', () => {
+      const filePath = 'folder/test+/file.js';
+
+      window.containsPotentialRegex = jest.fn().mockReturnValue(true);
+
+      createComponent(
+        {
+          filePath,
+          projectPath: 'Testjs/Test',
+          fileUrl: 'https://gitlab.com/test/file.js',
+          systemColorScheme: 'gl-light',
+        },
+        { query: { search: 'test+' } },
+      );
+
+      const fileNameContent = findProjectName().html();
+      expect(fileNameContent).not.toContain('<span class="highlight-search-term');
+    });
+
+    it('handles empty search query gracefully', () => {
+      const filePath = 'folder/test/file.js';
+
+      createComponent(
+        {
+          filePath,
+          projectPath: 'Testjs/Test',
+          fileUrl: 'https://gitlab.com/test/file.js',
+          systemColorScheme: 'gl-light',
+        },
+        { query: { search: '' } },
+      );
+
+      const fileNameContent = findProjectName();
+
+      expect(fileNameContent.html()).not.toContain('<span class="highlight-search-term');
+      expect(fileNameContent.text()).toContain(filePath);
+    });
+  });
 });
diff --git a/spec/frontend/work_items/components/shared/work_item_namespace_listbox_spec.js b/spec/frontend/work_items/components/shared/work_item_namespace_listbox_spec.js
index 882365af476..6988f8f9af2 100644
--- a/spec/frontend/work_items/components/shared/work_item_namespace_listbox_spec.js
+++ b/spec/frontend/work_items/components/shared/work_item_namespace_listbox_spec.js
@@ -139,14 +139,6 @@ describe('WorkItemNamespaceListbox', () => {
     expect(findRecentDropdownItems().at(0).text()).toContain(namespaceGroupsData[0].name);
   });
 
-  it('filters out archived projects', () => {
-    expect(namespaceProjectsFormLinksWidgetResolver).toHaveBeenCalledWith(
-      expect.objectContaining({
-        includeArchived: false,
-      }),
-    );
-  });
-
   it('does not include duplicate items if found in both query and localstorage results', async () => {
     await createComponent();
     gon.current_username = 'root';
diff --git a/spec/frontend/work_items/components/work_item_breadcrumb_spec.js b/spec/frontend/work_items/components/work_item_breadcrumb_spec.js
index 3747fd6436f..262c4065e20 100644
--- a/spec/frontend/work_items/components/work_item_breadcrumb_spec.js
+++ b/spec/frontend/work_items/components/work_item_breadcrumb_spec.js
@@ -15,6 +15,7 @@ describe('WorkItemBreadcrumb', () => {
     listPath = '/epics',
     isGroup = true,
     workItemsAlpha = false,
+    workItemPlanningView = false,
     props = {},
   } = {}) => {
     wrapper = shallowMount(WorkItemBreadcrumb, {
@@ -23,6 +24,7 @@ describe('WorkItemBreadcrumb', () => {
         glFeatures: {
           workItemEpicsList,
           workItemsAlpha,
+          workItemPlanningView,
         },
         listPath,
         isGroup,
@@ -46,8 +48,8 @@ describe('WorkItemBreadcrumb', () => {
       ]);
     });
 
-    it('renders root `Work items` breadcrumb on work items list page', () => {
-      createComponent();
+    it('renders root `Work items` breadcrumb on work items list page when `workItemPlanningView` feature is enabled', () => {
+      createComponent({ workItemPlanningView: true });
 
       expect(findBreadcrumb().props('items')).toEqual([
         {
@@ -60,6 +62,20 @@ describe('WorkItemBreadcrumb', () => {
       ]);
     });
 
+    it('renders root `Issues` breadcrumb on work items list page', () => {
+      createComponent();
+
+      expect(findBreadcrumb().props('items')).toEqual([
+        {
+          text: 'Issues',
+          to: {
+            name: 'workItemList',
+            query: undefined,
+          },
+        },
+      ]);
+    });
+
     it('renders root `Epics` breadcrumb on epics list page', () => {
       createComponent({ workItemType: WORK_ITEM_TYPE_NAME_EPIC });
 
@@ -147,7 +163,7 @@ describe('WorkItemBreadcrumb', () => {
 
     expect(findBreadcrumb().props('items')).toEqual([
       { text: 'Static', href: '/static' },
-      { text: 'Work items', to: { name: 'workItemList', query: undefined } },
+      { text: 'Issues', to: { name: 'workItemList', query: undefined } },
       { text: '#1', to: '/1' },
     ]);
   });
diff --git a/spec/frontend/work_items/components/work_item_links/work_item_projects_listbox_spec.js b/spec/frontend/work_items/components/work_item_links/work_item_projects_listbox_spec.js
index 01e356cbf12..d530ad4bb61 100644
--- a/spec/frontend/work_items/components/work_item_links/work_item_projects_listbox_spec.js
+++ b/spec/frontend/work_items/components/work_item_links/work_item_projects_listbox_spec.js
@@ -81,16 +81,10 @@ describe('WorkItemProjectsListbox', () => {
       removeLocalstorageFrequentItems();
 
       findDropdown().vm.$emit('shown');
-
       await nextTick();
-
       await findDropdownItemFor(namespaceProjectsData[0].fullPath).trigger('click');
 
-      await nextTick();
-
-      const emitted = wrapper.emitted('selectProject');
-
-      expect(emitted[0][0]).toBe(namespaceProjectsData[0].fullPath);
+      expect(wrapper.emitted('selectProject').pop()).toEqual([namespaceProjectsData[0].fullPath]);
     });
 
     it('renders recent projects if present', async () => {
@@ -112,16 +106,10 @@ describe('WorkItemProjectsListbox', () => {
       setLocalstorageFrequentItems();
 
       findDropdown().vm.$emit('shown');
-
       await nextTick();
-
       await findRecentDropdownItemAt(0).trigger('click');
 
-      await nextTick();
-
-      const emitted = wrapper.emitted('selectProject');
-
-      expect(emitted[0][0]).toBe(namespaceProjectsData[1].fullPath);
+      expect(wrapper.emitted('selectProject').pop()).toEqual([namespaceProjectsData[1].fullPath]);
     });
 
     it('supports filtering recent projects via search input', async () => {
@@ -145,12 +133,11 @@ describe('WorkItemProjectsListbox', () => {
       expect(content.at(0).text()).toContain(namespaceProjectsData[0].name);
     });
 
-    it('filters out archived projects', () => {
-      expect(namespaceProjectsFormLinksWidgetResolver).toHaveBeenCalledWith(
-        expect.objectContaining({
-          includeArchived: false,
-        }),
-      );
+    it('default-selects the first project from the API when there is no `selectedProjectFullPath`', async () => {
+      findDropdown().vm.$emit('shown');
+      await nextTick();
+
+      expect(wrapper.emitted('selectProject')).toEqual([[namespaceProjectsData[0].fullPath]]);
     });
   });
 
@@ -174,23 +161,17 @@ describe('WorkItemProjectsListbox', () => {
     it('auto-selects the current project', async () => {
       await nextTick();
 
-      expect(findDropdownToggle().text()).toContain(namespaceProjectsData[0].nameWithNamespace);
+      expect(findDropdownToggle().text()).toBe(namespaceProjectsData[0].name);
     });
 
     it('supports selecting a project', async () => {
       removeLocalstorageFrequentItems();
 
       findDropdown().vm.$emit('shown');
-
       await nextTick();
-
       await findDropdownItemFor(namespaceProjectsData[1].fullPath).trigger('click');
 
-      await nextTick();
-
-      const emitted = wrapper.emitted('selectProject');
-
-      expect(emitted[0][0]).toBe(namespaceProjectsData[1].fullPath);
+      expect(wrapper.emitted('selectProject').pop()).toEqual([namespaceProjectsData[1].fullPath]);
     });
 
     it('renders recent projects if present', async () => {
@@ -212,16 +193,10 @@ describe('WorkItemProjectsListbox', () => {
       setLocalstorageFrequentItems();
 
       findDropdown().vm.$emit('shown');
-
       await nextTick();
-
       await findRecentDropdownItemAt(0).trigger('click');
 
-      await nextTick();
-
-      const emitted = wrapper.emitted('selectProject');
-
-      expect(emitted[0][0]).toBe(namespaceProjectsData[1].fullPath);
+      expect(wrapper.emitted('selectProject').pop()).toEqual([namespaceProjectsData[1].fullPath]);
     });
 
     it('supports filtering recent projects via search input', async () => {
@@ -244,14 +219,6 @@ describe('WorkItemProjectsListbox', () => {
       expect(content).toHaveLength(1);
       expect(content.at(0).text()).toContain(namespaceProjectsData[0].name);
     });
-
-    it('filters out archived projects', () => {
-      expect(namespaceProjectsFormLinksWidgetResolver).toHaveBeenCalledWith(
-        expect.objectContaining({
-          includeArchived: false,
-        }),
-      );
-    });
   });
 
   it('does not include duplicate projects if found in both query and localstorage results', async () => {
diff --git a/spec/frontend/work_items/pages/create_work_item_spec.js b/spec/frontend/work_items/pages/create_work_item_spec.js
index 33d62a18e6c..47f774aa651 100644
--- a/spec/frontend/work_items/pages/create_work_item_spec.js
+++ b/spec/frontend/work_items/pages/create_work_item_spec.js
@@ -11,7 +11,13 @@ import waitForPromises from 'helpers/wait_for_promises';
 import createMockApollo from 'helpers/mock_apollo_helper';
 import setWindowLocation from 'helpers/set_window_location_helper';
 import CreateWorkItemCancelConfirmationModal from '~/work_items/components/create_work_item_cancel_confirmation_modal.vue';
-import { WORK_ITEM_TYPE_ENUM_ISSUE, WORK_ITEM_TYPE_NAME_ISSUE } from '~/work_items/constants';
+import {
+  WORK_ITEM_TYPE_ENUM_EPIC,
+  WORK_ITEM_TYPE_ENUM_INCIDENT,
+  WORK_ITEM_TYPE_ENUM_ISSUE,
+  WORK_ITEM_TYPE_ENUM_TASK,
+  WORK_ITEM_TYPE_NAME_ISSUE,
+} from '~/work_items/constants';
 
 Vue.use(VueApollo);
 
@@ -47,10 +53,11 @@ describe('Create work item page component', () => {
 
   const relatedItemQueryHandler = jest.fn().mockResolvedValue(mockRelatedItem);
 
-  const createComponent = ($router = undefined, isGroup = true, $route) => {
+  const createComponent = ({ props = {}, provide = {}, $router = undefined, $route } = {}) => {
     wrapper = shallowMount(CreateWorkItemPage, {
       propsData: {
         workItemTypeEnum: WORK_ITEM_TYPE_ENUM_ISSUE,
+        ...props,
       },
       apolloProvider: createMockApollo([[workItemRelatedItemQuery, relatedItemQueryHandler]]),
       mocks: {
@@ -59,7 +66,8 @@ describe('Create work item page component', () => {
       },
       provide: {
         fullPath: 'gitlab-org',
-        isGroup,
+        isGroup: false,
+        ...provide,
       },
       stubs: {
         GlModal,
@@ -73,7 +81,7 @@ describe('Create work item page component', () => {
 
   it('passes the isGroup prop to the CreateWorkItem component', () => {
     const pushMock = jest.fn();
-    createComponent({ push: pushMock }, false);
+    createComponent({ $router: { push: pushMock } });
 
     expect(findCreateWorkItem().props()).toMatchObject({
       isGroup: false,
@@ -83,7 +91,7 @@ describe('Create work item page component', () => {
 
   it('passes alwaysShowWorkItemTypeSelect prop as `true` to the CreateWorkItem component when isGroup is false', () => {
     const pushMock = jest.fn();
-    createComponent({ push: pushMock }, false);
+    createComponent({ $router: { push: pushMock } });
 
     expect(findCreateWorkItem().props()).toMatchObject({
       alwaysShowWorkItemTypeSelect: true,
@@ -115,7 +123,7 @@ describe('Create work item page component', () => {
 
   it('calls router.push after create if router is present', () => {
     const pushMock = jest.fn();
-    createComponent({ push: pushMock });
+    createComponent({ $router: { push: pushMock } });
 
     wrapper.findComponent(CreateWorkItem).vm.$emit('workItemCreated', {
       workItem: { webUrl: '/work_items/1234', iid: '1234' },
@@ -131,6 +139,30 @@ describe('Create work item page component', () => {
     });
   });
 
+  describe('project selector', () => {
+    it.each`
+      workItemTypeEnum                | isGroup  | showProjectSelector
+      ${WORK_ITEM_TYPE_ENUM_ISSUE}    | ${true}  | ${true}
+      ${WORK_ITEM_TYPE_ENUM_INCIDENT} | ${true}  | ${true}
+      ${WORK_ITEM_TYPE_ENUM_TASK}     | ${true}  | ${true}
+      ${WORK_ITEM_TYPE_ENUM_EPIC}     | ${true}  | ${false}
+      ${WORK_ITEM_TYPE_ENUM_ISSUE}    | ${false} | ${false}
+      ${WORK_ITEM_TYPE_ENUM_INCIDENT} | ${false} | ${false}
+      ${WORK_ITEM_TYPE_ENUM_TASK}     | ${false} | ${false}
+      ${WORK_ITEM_TYPE_ENUM_EPIC}     | ${false} | ${false}
+    `(
+      'only renders when group and non-epic',
+      ({ workItemTypeEnum, isGroup, showProjectSelector }) => {
+        createComponent({
+          props: { workItemTypeEnum },
+          provide: { isGroup },
+        });
+
+        expect(findCreateWorkItem().props('showProjectSelector')).toBe(showProjectSelector);
+      },
+    );
+  });
+
   describe('when the related_item_id url query param is present', () => {
     describe('when successful', () => {
       beforeEach(async () => {
@@ -242,7 +274,7 @@ describe('Create work item page component', () => {
         params: { type: 'work_items' },
       };
 
-      createComponent({ history: historyMock, go: goMock }, false, routeMock);
+      createComponent({ $router: { history: historyMock, go: goMock }, $route: routeMock });
 
       findCreateWorkItem().vm.$emit('confirmCancel');
       await nextTick();
@@ -269,7 +301,7 @@ describe('Create work item page component', () => {
         params: { type: 'issues' },
       };
 
-      createComponent({ history: historyMock }, false, routeMock);
+      createComponent({ $router: { history: historyMock }, $route: routeMock });
 
       findCreateWorkItem().vm.$emit('confirmCancel');
       await nextTick();
@@ -294,7 +326,11 @@ describe('Create work item page component', () => {
         params: { type: 'work_items' },
       };
 
-      createComponent({ history: historyMock }, true, routeMock);
+      createComponent({
+        provide: { isGroup: true },
+        $router: { history: historyMock },
+        $route: routeMock,
+      });
 
       findCreateWorkItem().vm.$emit('confirmCancel');
       await nextTick();
@@ -319,7 +355,11 @@ describe('Create work item page component', () => {
         params: { type: 'epics' },
       };
 
-      createComponent({ history: historyMock }, true, routeMock);
+      createComponent({
+        provide: { isGroup: true },
+        $router: { history: historyMock },
+        $route: routeMock,
+      });
 
       findCreateWorkItem().vm.$emit('confirmCancel');
       await nextTick();
diff --git a/spec/graphql/mutations/alert_management/http_integration/create_spec.rb b/spec/graphql/mutations/alert_management/http_integration/create_spec.rb
index ca0ab385e03..a0c4c50cf26 100644
--- a/spec/graphql/mutations/alert_management/http_integration/create_spec.rb
+++ b/spec/graphql/mutations/alert_management/http_integration/create_spec.rb
@@ -2,7 +2,7 @@
 
 require 'spec_helper'
 
-RSpec.describe Mutations::AlertManagement::HttpIntegration::Create, feature_category: :api do
+RSpec.describe Mutations::AlertManagement::HttpIntegration::Create, feature_category: :incident_management do
   include GraphqlHelpers
 
   let_it_be(:current_user) { create(:user) }
@@ -25,6 +25,11 @@ RSpec.describe Mutations::AlertManagement::HttpIntegration::Create, feature_cate
             integration: ::AlertManagement::HttpIntegration.last!,
             errors: []
           )
+          expect(resolve[:integration]).to have_attributes(
+            active: true,
+            name: 'HTTP Integration',
+            type_identifier: 'http'
+          )
         end
       end
 
@@ -42,6 +47,29 @@ RSpec.describe Mutations::AlertManagement::HttpIntegration::Create, feature_cate
           )
         end
       end
+
+      context 'when type argument is specified' do
+        let(:args) do
+          {
+            project_path: project.full_path,
+            active: true,
+            name: 'Prometheus',
+            type_identifier: :prometheus
+          }
+        end
+
+        it 'returns the integration with no errors' do
+          expect(resolve).to eq(
+            integration: ::AlertManagement::HttpIntegration.last!,
+            errors: []
+          )
+          expect(resolve[:integration]).to have_attributes(
+            active: true,
+            name: 'Prometheus',
+            type_identifier: 'prometheus'
+          )
+        end
+      end
     end
 
     context 'when resource is not accessible to the user' do
diff --git a/spec/initializers/net_http_spec.rb b/spec/initializers/net_http_spec.rb
index 1a8ef0cdd87..dbcde05e882 100644
--- a/spec/initializers/net_http_spec.rb
+++ b/spec/initializers/net_http_spec.rb
@@ -1,8 +1,36 @@
 # frozen_string_literal: true
 
 require 'spec_helper'
+require 'webrick'
+
+RSpec.describe 'Net::Http patch', :request_store, feature_category: :integrations do
+  let(:two_mega_bytes_body) { "A" * 2 * 1024 * 1024 }
+
+  let_it_be(:server_thread) do
+    Thread.new do
+      server = WEBrick::HTTPServer.new(Port: 4567, Logger: WEBrick::Log.new("/dev/null"), AccessLog: [])
+
+      server.mount_proc '/no-encoding' do |_req, res|
+        res.status = 200
+        res['Content-Type'] = 'text/plain'
+
+        res.body = two_mega_bytes_body
+      end
+
+      server.mount_proc '/gzip' do |_req, res|
+        res.status = 200
+        res['Content-Encoding'] = 'gzip'
+        res['Content-Type'] = 'text/plain'
+
+        res.body = gzip_compress(two_mega_bytes_body)
+      end
+
+      trap("INT") { server.shutdown }
+
+      server.start
+    end
+  end
 
-RSpec.describe 'Net::Http patch', feature_category: :integrations do
   def gzip_compress(content)
     buffer = StringIO.new
     gzip = Zlib::GzipWriter.new(buffer)
@@ -11,116 +39,80 @@ RSpec.describe 'Net::Http patch', feature_category: :integrations do
     buffer.string
   end
 
-  def read_body(res, io)
-    body = nil
-    res.reading_body io, true do
-      body = res.read_body
-    end
-    body
+  before_all do
+    WebMock.disable!
   end
 
-  shared_examples 'logging behavior for decompressed content' do |size|
-    it 'logs the decompressed content size' do
-      expect(Gitlab::AppJsonLogger).to receive(:debug).with(message: 'net/http: response decompressed', size: size,
-        caller: anything)
+  after(:all) do
+    Thread.kill(server_thread)
 
-      res = Net::HTTPResponse.read_new(io)
-      res.decode_content = true
+    WebMock.enable!
+  end
 
-      read_body(res, io)
+  shared_examples 'raises error' do
+    it 'logs and raises Gitlab::HTTP::MaxDecompressionSizeError' do
+      expect(Gitlab::AppJsonLogger).to receive(:error)
+        .with(message: 'Net::HTTP - Response size too large', size: an_instance_of(Integer), caller: anything)
+
+      expect do
+        Net::HTTP.get_response(URI("http://localhost:4567/#{path}"))
+      end.to raise_error Gitlab::HTTP::MaxDecompressionSizeError
     end
   end
 
-  shared_examples 'no logging for decompressed content' do
-    it 'does not log the decompressed content size' do
-      expect(Gitlab::AppJsonLogger).not_to receive(:debug)
+  shared_examples 'does not raise error' do
+    it 'does not raise error' do
+      expect(Gitlab::AppJsonLogger).not_to receive(:error)
 
-      res = Net::HTTPResponse.read_new(io)
-      res.decode_content = true
+      body = Net::HTTP.get_response(URI("http://localhost:4567/#{path}")).body
 
-      read_body(res, io)
+      expect(body).to eq(two_mega_bytes_body)
     end
   end
 
-  describe 'decompressing data' do
-    let(:body) { 'Hello world!' }
-    let(:io) do
-      gzip_body = gzip_compress(body)
-      response = <<~RESPONSE
-        HTTP/1.1 200 OK
-        Content-Encoding: gzip
-        Content-Type: text/plain
-
-        #{gzip_body}
-      RESPONSE
-
-      Net::BufferedIO.new(StringIO.new(response.force_encoding('ASCII-8BIT')))
+  context 'when decompressed content size exceeds the threshold' do
+    before do
+      stub_application_setting(max_http_decompressed_size: 1)
     end
 
-    context 'when decompressed content size exceeds the log threshold' do
+    include_examples 'raises error' do
+      let(:path) { 'gzip' }
+    end
+
+    context 'when validation is disabled via Request Store' do
       before do
-        allow(Gitlab.config.gitlab).to receive(:log_decompressed_response_bytesize).and_return(11)
+        Gitlab::SafeRequestStore[:disable_net_http_decompression] = true
       end
 
-      it_behaves_like 'logging behavior for decompressed content', 12.bytes
+      include_examples 'does not raise error' do
+        let(:path) { 'gzip' }
+      end
     end
 
-    context 'when decompressed content size is below the log threshold' do
-      before do
-        allow(Gitlab.config.gitlab).to receive(:log_decompressed_response_bytesize).and_return(13)
+    context 'when response is not encoded' do
+      include_examples 'does not raise error' do
+        let(:path) { 'no-encoding' }
       end
+    end
+  end
 
-      it_behaves_like 'no logging for decompressed content'
+  context 'when decompressed content size is below the threshold' do
+    before do
+      stub_application_setting(max_http_decompressed_size: 3)
     end
 
-    context 'when log_decompressed_response_bytesize is set to zero' do
-      before do
-        allow(Gitlab.config.gitlab).to receive(:log_decompressed_response_bytesize).and_return(0)
-      end
+    include_examples 'does not raise error' do
+      let(:path) { 'gzip' }
+    end
+  end
 
-      it_behaves_like 'no logging for decompressed content'
+  context 'when threshold is set to zero' do
+    before do
+      stub_application_setting(max_http_decompressed_size: 0)
     end
 
-    context 'with chunked response' do
-      let(:io) do
-        chunked_response = ""
-        chunked_response += "HTTP/1.1 200 OK\r\n"
-        chunked_response += "Content-Encoding: gzip\r\n"
-        chunked_response += "Content-Type: application/octet-stream\r\n"
-        chunked_response += "Transfer-Encoding: chunked\r\n"
-        chunked_response += "\r\n"
-        gzipped_content = gzip_compress(body)
-        gzipped_content.each_char.each_slice(1024) do |chunk|
-          chunk_data = chunk.join
-          chunk_size_hex = format("%X", chunk_data.bytesize)
-
-          chunked_response += chunk_size_hex
-          chunked_response += "\r\n"
-          chunked_response += chunk_data
-          chunked_response += "\r\n"
-        end
-        chunked_response << "0\r\n\r\n"
-
-        Net::BufferedIO.new(StringIO.new(chunked_response.force_encoding('ASCII-8BIT')))
-      end
-
-      let(:body) { "A" * 2 * 1024 * 1024 }
-
-      context 'when decompressed content size exceeds the log threshold' do
-        before do
-          allow(Gitlab.config.gitlab).to receive(:log_decompressed_response_bytesize).and_return(1.megabyte)
-        end
-
-        it_behaves_like 'logging behavior for decompressed content', 2.megabytes
-      end
-
-      context 'when decompressed content size is below the log threshold' do
-        before do
-          allow(Gitlab.config.gitlab).to receive(:log_decompressed_response_bytesize).and_return(3.megabytes)
-        end
-
-        it_behaves_like 'no logging for decompressed content'
-      end
+    include_examples 'does not raise error' do
+      let(:path) { 'gzip' }
     end
   end
 end
diff --git a/spec/lib/bitbucket/app_password_connection_spec.rb b/spec/lib/bitbucket/app_password_connection_spec.rb
index 4402727a3a7..e62c93b7d88 100644
--- a/spec/lib/bitbucket/app_password_connection_spec.rb
+++ b/spec/lib/bitbucket/app_password_connection_spec.rb
@@ -13,9 +13,12 @@ RSpec.describe Bitbucket::AppPasswordConnection, feature_category: :importers do
         .to receive(:get)
         .with(
           'https://api.bitbucket.org/2.0/user',
-          basic_auth: { username: 'foo', password: 'bar' },
-          headers: { 'Accept' => 'application/json' },
-          query: { page: 1 }
+          {
+            basic_auth: { username: 'foo', password: 'bar' },
+            headers: { 'Accept' => 'application/json' },
+            query: { page: 1 },
+            max_bytes: an_instance_of(Integer)
+          }
         )
         .and_return(
           instance_double(HTTParty::Response,
diff --git a/spec/lib/bulk_imports/clients/http_spec.rb b/spec/lib/bulk_imports/clients/http_spec.rb
index 2eceefe3091..77066076cc0 100644
--- a/spec/lib/bulk_imports/clients/http_spec.rb
+++ b/spec/lib/bulk_imports/clients/http_spec.rb
@@ -122,6 +122,7 @@ RSpec.describe BulkImports::Clients::HTTP, feature_category: :importers do
           limit: 2
         }
         params[:query] = params[:query].merge(query)
+        params[:max_bytes] = an_instance_of(Integer)
 
         allow(Gitlab::HTTP).to receive(:get).with(uri, params).and_return(response)
       end
diff --git a/spec/lib/gitlab/chat/responder/mattermost_spec.rb b/spec/lib/gitlab/chat/responder/mattermost_spec.rb
index 6379d463252..e55a65627ff 100644
--- a/spec/lib/gitlab/chat/responder/mattermost_spec.rb
+++ b/spec/lib/gitlab/chat/responder/mattermost_spec.rb
@@ -24,7 +24,7 @@ RSpec.describe Gitlab::Chat::Responder::Mattermost, feature_category: :integrati
     it 'sends a response back to Slack' do
       expect(Gitlab::HTTP).to receive(:post).with(
         'http://example.com',
-        { headers: { 'Content-Type': 'application/json' }, body: 'hello'.to_json }
+        { headers: { 'Content-Type': 'application/json' }, body: 'hello'.to_json, max_bytes: an_instance_of(Integer) }
       )
 
       responder.send_response('hello')
diff --git a/spec/lib/gitlab/chat/responder/slack_spec.rb b/spec/lib/gitlab/chat/responder/slack_spec.rb
index abb9a3841ec..a99090cb459 100644
--- a/spec/lib/gitlab/chat/responder/slack_spec.rb
+++ b/spec/lib/gitlab/chat/responder/slack_spec.rb
@@ -30,7 +30,7 @@ RSpec.describe Gitlab::Chat::Responder::Slack, feature_category: :integrations d
     it 'sends a response back to Slack' do
       expect(Gitlab::HTTP).to receive(:post).with(
         'http://example.com',
-        { headers: { Accept: 'application/json' }, body: 'hello'.to_json }
+        { headers: { Accept: 'application/json' }, body: 'hello'.to_json, max_bytes: an_instance_of(Integer) }
       )
 
       responder.send_response('hello')
@@ -41,7 +41,7 @@ RSpec.describe Gitlab::Chat::Responder::Slack, feature_category: :integrations d
 
       expect(Gitlab::HTTP).to receive(:post).with(
         'http://example.com',
-        { headers: { Accept: 'application/json' }, body: 'hello'.to_json }
+        { headers: { Accept: 'application/json' }, body: 'hello'.to_json, max_bytes: an_instance_of(Integer) }
       )
 
       expect(Gitlab::AppLogger)
diff --git a/spec/lib/gitlab/diff/file_spec.rb b/spec/lib/gitlab/diff/file_spec.rb
index b786d8c12f0..6cd716ea923 100644
--- a/spec/lib/gitlab/diff/file_spec.rb
+++ b/spec/lib/gitlab/diff/file_spec.rb
@@ -1366,4 +1366,18 @@ RSpec.describe Gitlab::Diff::File, feature_category: :shared do
   describe '#viewer_hunks' do
     it { expect(diff_file.viewer_hunks).to all(be_instance_of(Gitlab::Diff::ViewerHunk)) }
   end
+
+  describe '#no_preview?' do
+    subject(:no_preview?) { diff_file.no_preview? }
+
+    it 'returns true for collapsed file' do
+      allow(diff_file).to receive(:collapsed?).and_return(true)
+      expect(no_preview?).to eq(true)
+    end
+
+    it 'returns true for unmodified file' do
+      allow(diff_file).to receive(:modified_file?).and_return(false)
+      expect(no_preview?).to eq(true)
+    end
+  end
 end
diff --git a/spec/lib/gitlab/git_access_spec.rb b/spec/lib/gitlab/git_access_spec.rb
index 12691b2e9fa..1327473bd64 100644
--- a/spec/lib/gitlab/git_access_spec.rb
+++ b/spec/lib/gitlab/git_access_spec.rb
@@ -667,9 +667,7 @@ RSpec.describe Gitlab::GitAccess, :aggregate_failures, feature_category: :system
 
       context 'pull code' do
         context 'when project is authorized' do
-          before do
-            deploy_token.projects << project
-          end
+          let(:deploy_token) { create(:deploy_token, projects: [project]) }
 
           it { expect { pull_access_check }.not_to raise_error }
         end
diff --git a/spec/lib/gitlab/github_import/attachments_downloader_spec.rb b/spec/lib/gitlab/github_import/attachments_downloader_spec.rb
index c7dd2a9538c..d81d857d623 100644
--- a/spec/lib/gitlab/github_import/attachments_downloader_spec.rb
+++ b/spec/lib/gitlab/github_import/attachments_downloader_spec.rb
@@ -114,8 +114,7 @@ RSpec.describe Gitlab::GithubImport::AttachmentsDownloader, feature_category: :i
       end
 
       it 'gets redirection url' do
-        expect(Gitlab::HTTP).to receive(:perform_request)
-          .with(Net::HTTP::Get, file_url, { follow_redirects: false })
+        expect(::Import::Clients::HTTP).to receive(:get).with(file_url, { follow_redirects: false })
           .and_return sample_response
 
         expect(Gitlab::HTTP).to receive(:perform_request)
@@ -133,13 +132,10 @@ RSpec.describe Gitlab::GithubImport::AttachmentsDownloader, feature_category: :i
           instance_double(HTTParty::Response, code: 200, redirection?: false)
         end
 
-        before do
-          allow(Gitlab::HTTP).to receive(:perform_request)
-            .with(Net::HTTP::Get, file_url, { follow_redirects: false })
-            .and_return sample_response
-        end
-
         it 'queries with original file_url' do
+          expect(::Import::Clients::HTTP).to receive(:get).with(file_url, { follow_redirects: false })
+            .and_return sample_response
+
           expect(Gitlab::HTTP).to receive(:perform_request)
             .with(Net::HTTP::Get, file_url, stream_body: true).and_yield(chunk_double)
 
@@ -152,13 +148,10 @@ RSpec.describe Gitlab::GithubImport::AttachmentsDownloader, feature_category: :i
       context 'when redirection url is not supported' do
         let(:redirect_url) { "https://https://github-production-user-asset-6210df.s3.amazonaws.com/142635249/740edb05293e.idk" }
 
-        before do
-          allow(Gitlab::HTTP).to receive(:perform_request)
-            .with(Net::HTTP::Get, file_url, { follow_redirects: false })
-            .and_return sample_response
-        end
-
         it 'raises UnsupportedAttachmentError on unsupported extension' do
+          expect(::Import::Clients::HTTP).to receive(:get).with(file_url, { follow_redirects: false })
+            .and_return sample_response
+
           expect { downloader.perform }.to raise_error(described_class::UnsupportedAttachmentError)
         end
       end
diff --git a/spec/lib/gitlab/http_spec.rb b/spec/lib/gitlab/http_spec.rb
index c23f4ea8ffa..d805ca0362c 100644
--- a/spec/lib/gitlab/http_spec.rb
+++ b/spec/lib/gitlab/http_spec.rb
@@ -115,4 +115,46 @@ RSpec.describe Gitlab::HTTP, feature_category: :shared do
       end
     end
   end
+
+  describe '.without_decompression_limit', :request_store do
+    it 'ensures SafeRequestStore[:disable_net_http_decompression] is true within the block' do
+      expect(Gitlab::SafeRequestStore[:disable_net_http_decompression]).to be_nil
+
+      result = described_class.without_decompression_limit do
+        Gitlab::SafeRequestStore[:disable_net_http_decompression]
+      end
+
+      expect(result).to be(true)
+      expect(Gitlab::SafeRequestStore[:disable_net_http_decompression]).to be(false)
+    end
+
+    it 'ensures SafeRequestStore[:disable_net_http_decompression] is false if an exception occurs' do
+      expect(Gitlab::SafeRequestStore[:disable_net_http_decompression]).to be_nil
+
+      expect do
+        described_class.without_decompression_limit do
+          raise 'test error'
+        end
+      end.to raise_error('test error')
+
+      expect(Gitlab::SafeRequestStore[:disable_net_http_decompression]).to be(false)
+    end
+
+    context 'when request store is disabled' do
+      before do
+        allow(Gitlab::SafeRequestStore).to receive(:active?).and_return(false)
+      end
+
+      it 'does not set SafeRequestStore[:disable_net_http_decompression] to true' do
+        expect(Gitlab::SafeRequestStore[:disable_net_http_decompression]).to be_nil
+
+        result = described_class.without_decompression_limit do
+          Gitlab::SafeRequestStore[:disable_net_http_decompression]
+        end
+
+        expect(result).to be_nil
+        expect(Gitlab::SafeRequestStore[:disable_net_http_decompression]).to be_nil
+      end
+    end
+  end
 end
diff --git a/spec/lib/import/clients/http_spec.rb b/spec/lib/import/clients/http_spec.rb
new file mode 100644
index 00000000000..3aeda197907
--- /dev/null
+++ b/spec/lib/import/clients/http_spec.rb
@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Import::Clients::HTTP, feature_category: :importers do
+  [:delete, :head, :get, :post, :put, :try_get].each do |method|
+    describe ".#{method}" do
+      before do
+        stub_application_setting(max_http_response_size_limit: 1)
+      end
+
+      it "delegates to Gitlab::HTTP.#{method}" do
+        path = 'https://example.com/api'
+
+        expect(Gitlab::HTTP).to receive(method).with(path,
+          { headers: { 'Content-Type' => 'application/json' }, max_bytes: 1.megabyte })
+
+        described_class.public_send(method, path, { headers: { 'Content-Type' => 'application/json' } })
+      end
+    end
+  end
+end
diff --git a/spec/lib/integrations/clients/http_spec.rb b/spec/lib/integrations/clients/http_spec.rb
new file mode 100644
index 00000000000..e561e7f1419
--- /dev/null
+++ b/spec/lib/integrations/clients/http_spec.rb
@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Integrations::Clients::HTTP, feature_category: :integrations do
+  [:delete, :head, :get, :post, :put, :try_get].each do |method|
+    describe ".#{method}" do
+      before do
+        stub_application_setting(max_http_response_size_limit: 1)
+      end
+
+      it "delegates to Gitlab::HTTP.#{method}" do
+        path = 'https://example.com/api'
+
+        expect(Gitlab::HTTP).to receive(method).with(path,
+          { headers: { 'Content-Type' => 'application/json' }, max_bytes: 1.megabyte })
+
+        described_class.public_send(method, path, { headers: { 'Content-Type' => 'application/json' } })
+      end
+    end
+  end
+end
diff --git a/spec/models/board_spec.rb b/spec/models/board_spec.rb
index ddf1170d908..c9eb372bf4b 100644
--- a/spec/models/board_spec.rb
+++ b/spec/models/board_spec.rb
@@ -18,9 +18,22 @@ RSpec.describe Board do
   end
 
   describe 'validations' do
+    let_it_be(:board) { build(:board, project: project) }
+
     it { is_expected.to validate_presence_of(:name) }
     it { is_expected.to validate_presence_of(:project) }
 
+    it 'validates name length is at most 255 characters when name is changed' do
+      board.name = 'a' * 256
+      expect(board).not_to be_valid
+      expect(board.errors[:name]).to include('is too long (maximum is 255 characters)')
+    end
+
+    it 'allows names up to 255 characters' do
+      board.name = 'a' * 255
+      expect(board).to be_valid
+    end
+
     describe 'group and project mutually exclusive' do
       context 'when project is present' do
         subject { described_class.new(project: project) }
diff --git a/spec/models/ci/build_spec.rb b/spec/models/ci/build_spec.rb
index 04dab9db0b9..b648befcdd7 100644
--- a/spec/models/ci/build_spec.rb
+++ b/spec/models/ci/build_spec.rb
@@ -3352,8 +3352,6 @@ RSpec.describe Ci::Build, feature_category: :continuous_integration, factory_def
     end
 
     context 'for deploy tokens' do
-      let(:deploy_token) { create(:deploy_token, :gitlab_deploy_token) }
-
       let(:deploy_token_variables) do
         [
           { key: 'CI_DEPLOY_USER', value: deploy_token.username, public: true, masked: false },
@@ -3362,9 +3360,7 @@ RSpec.describe Ci::Build, feature_category: :continuous_integration, factory_def
       end
 
       context 'when gitlab-deploy-token exists for project' do
-        before do
-          project.deploy_tokens << deploy_token
-        end
+        let!(:deploy_token) { create(:deploy_token, :gitlab_deploy_token, projects: [project]) }
 
         it 'includes deploy token variables' do
           is_expected.to include(*deploy_token_variables)
@@ -3378,9 +3374,7 @@ RSpec.describe Ci::Build, feature_category: :continuous_integration, factory_def
         end
 
         context 'when gitlab-deploy-token exists for group' do
-          before do
-            group.deploy_tokens << deploy_token
-          end
+          let!(:deploy_token) { create(:deploy_token, :gitlab_deploy_token, :group, groups: [group]) }
 
           it 'includes deploy token variables' do
             is_expected.to include(*deploy_token_variables)
diff --git a/spec/models/deploy_token_spec.rb b/spec/models/deploy_token_spec.rb
index 4c37edfe4e9..3bf73c05b1c 100644
--- a/spec/models/deploy_token_spec.rb
+++ b/spec/models/deploy_token_spec.rb
@@ -123,8 +123,7 @@ RSpec.describe DeployToken, feature_category: :continuous_delivery do
 
   describe '#has_access_to_group?' do
     let_it_be(:group) { create(:group) }
-    let_it_be_with_reload(:deploy_token) { create(:deploy_token, :group) }
-    let_it_be(:group_deploy_token) { create(:group_deploy_token, group: group, deploy_token: deploy_token) }
+    let_it_be_with_reload(:deploy_token) { create(:deploy_token, :group, groups: [group]) }
 
     let(:test_group) { group }
 
@@ -320,11 +319,7 @@ RSpec.describe DeployToken, feature_category: :continuous_delivery do
       context 'and when the token is of group type' do
         let_it_be(:group) { create(:group) }
 
-        let(:deploy_token) { create(:deploy_token, :group) }
-
-        before do
-          deploy_token.groups << group
-        end
+        let(:deploy_token) { create(:deploy_token, :group, groups: [group]) }
 
         context 'and the passed-in project does not belong to any group' do
           it { is_expected.to be_falsy }
diff --git a/spec/models/integrations/matrix_spec.rb b/spec/models/integrations/matrix_spec.rb
index a3be702c445..ef38ba997e5 100644
--- a/spec/models/integrations/matrix_spec.rb
+++ b/spec/models/integrations/matrix_spec.rb
@@ -84,7 +84,8 @@ RSpec.describe Integrations::Matrix, feature_category: :integrations do
       let(:context) { { project: subject.project, no_sourcepos: true } }
 
       it 'sends PUT request with `project` context' do
-        expect(Gitlab::HTTP).to receive(:put).with(anything, headers: header, body: Gitlab::Json.dump(body))
+        expect(Gitlab::HTTP).to receive(:put).with(anything,
+          { headers: header, body: Gitlab::Json.dump(body), max_bytes: an_instance_of(Integer) })
 
         subject.send(:notify, message, {})
       end
@@ -95,7 +96,8 @@ RSpec.describe Integrations::Matrix, feature_category: :integrations do
       let(:context) { { skip_project_check: true, no_sourcepos: true } }
 
       it 'sends PUT request with `skip_project_check` context' do
-        expect(Gitlab::HTTP).to receive(:put).with(anything, headers: header, body: Gitlab::Json.dump(body))
+        expect(Gitlab::HTTP).to receive(:put).with(anything,
+          { headers: header, body: Gitlab::Json.dump(body), max_bytes: an_instance_of(Integer) })
 
         subject.send(:notify, message, {})
       end
diff --git a/spec/models/project_spec.rb b/spec/models/project_spec.rb
index 862b2d5113e..36afb22c327 100644
--- a/spec/models/project_spec.rb
+++ b/spec/models/project_spec.rb
@@ -5536,12 +5536,6 @@ RSpec.describe Project, factory_default: :keep, feature_category: :groups_and_pr
 
       subject { described_class.all.public_or_visible_to_user(user) }
 
-      context 'deploy token user without project' do
-        let_it_be(:user) { create(:deploy_token) }
-
-        it { is_expected.to eq [] }
-      end
-
       context 'deploy token user with projects' do
         let_it_be(:user) { create(:deploy_token, projects: [private_project, private_project2, private_project3]) }
 
diff --git a/spec/policies/group_policy_spec.rb b/spec/policies/group_policy_spec.rb
index 644586e8fa8..c5ade2324e0 100644
--- a/spec/policies/group_policy_spec.rb
+++ b/spec/policies/group_policy_spec.rb
@@ -95,6 +95,10 @@ RSpec.describe GroupPolicy, feature_category: :system_access do
 
   shared_examples 'deploy token does not get confused with user' do
     before do
+      # We force the id of the deploy token and the user to be the same,
+      # which requires deleting the joining record as we cannot update
+      # the id while foreign keys reference it.
+      deploy_token.project_deploy_tokens.delete_all(:delete_all)
       deploy_token.update!(id: user_id)
     end
 
@@ -1469,14 +1473,10 @@ RSpec.describe GroupPolicy, feature_category: :system_access do
 
   context 'package registry' do
     context 'deploy token user' do
-      let!(:group_deploy_token) do
-        create(:group_deploy_token, group: group, deploy_token: deploy_token)
-      end
-
       subject { described_class.new(deploy_token, group) }
 
       context 'with read_package_registry scope' do
-        let(:deploy_token) { create(:deploy_token, :group, read_package_registry: true) }
+        let(:deploy_token) { create(:deploy_token, :group, read_package_registry: true, groups: [group]) }
 
         it { is_expected.to be_allowed(:read_package) }
         it { is_expected.to be_allowed(:read_group) }
@@ -1484,7 +1484,7 @@ RSpec.describe GroupPolicy, feature_category: :system_access do
       end
 
       context 'with write_package_registry scope' do
-        let(:deploy_token) { create(:deploy_token, :group, write_package_registry: true) }
+        let(:deploy_token) { create(:deploy_token, :group, write_package_registry: true, groups: [group]) }
 
         it { is_expected.to be_allowed(:create_package) }
         it { is_expected.to be_allowed(:read_package) }
diff --git a/spec/policies/packages/policies/dependency_proxy/group_policy_spec.rb b/spec/policies/packages/policies/dependency_proxy/group_policy_spec.rb
index e772212b7c2..12b2f103b75 100644
--- a/spec/policies/packages/policies/dependency_proxy/group_policy_spec.rb
+++ b/spec/policies/packages/policies/dependency_proxy/group_policy_spec.rb
@@ -55,18 +55,14 @@ RSpec.describe Packages::Policies::DependencyProxy::GroupPolicy, feature_categor
       end
 
       context 'with a deploy token user' do
-        before do
-          create(:group_deploy_token, group: group, deploy_token: auth_token)
-        end
-
         context 'with insufficient scopes' do
-          let_it_be(:auth_token) { create(:deploy_token, :group, user: current_user) }
+          let_it_be(:auth_token) { create(:deploy_token, :group, user: current_user, groups: [group]) }
 
           it_behaves_like 'disallows dependency proxy read access'
         end
 
         context 'with sufficient scopes' do
-          let_it_be(:auth_token) { create(:deploy_token, :group, :dependency_proxy_scopes) }
+          let_it_be(:auth_token) { create(:deploy_token, :group, :dependency_proxy_scopes, groups: [group]) }
 
           it_behaves_like 'allows dependency proxy read access'
         end
diff --git a/spec/policies/packages/policies/group_policy_spec.rb b/spec/policies/packages/policies/group_policy_spec.rb
index 8c0bf1b4894..3907d7c1b4d 100644
--- a/spec/policies/packages/policies/group_policy_spec.rb
+++ b/spec/policies/packages/policies/group_policy_spec.rb
@@ -66,20 +66,16 @@ RSpec.describe Packages::Policies::GroupPolicy, feature_category: :package_regis
   end
 
   describe 'deploy token access' do
-    let!(:group_deploy_token) do
-      create(:group_deploy_token, group: group, deploy_token: deploy_token)
-    end
-
     subject { described_class.new(deploy_token, group.packages_policy_subject) }
 
     context 'when a deploy token with read_package_registry scope' do
-      let(:deploy_token) { create(:deploy_token, :group, read_package_registry: true) }
+      let(:deploy_token) { create(:deploy_token, :group, read_package_registry: true, groups: [group]) }
 
       it { is_expected.to be_allowed(:read_package) }
     end
 
     context 'when a deploy token with write_package_registry scope' do
-      let(:deploy_token) { create(:deploy_token, :group, write_package_registry: true) }
+      let(:deploy_token) { create(:deploy_token, :group, write_package_registry: true, groups: [group]) }
 
       it { is_expected.to be_allowed(:read_package) }
     end
diff --git a/spec/policies/project_policy_spec.rb b/spec/policies/project_policy_spec.rb
index a3f1f3c6342..e9481749019 100644
--- a/spec/policies/project_policy_spec.rb
+++ b/spec/policies/project_policy_spec.rb
@@ -1427,17 +1427,13 @@ RSpec.describe ProjectPolicy, feature_category: :system_access do
   end
 
   context 'deploy token access' do
-    let!(:project_deploy_token) do
-      create(:project_deploy_token, project: project, deploy_token: deploy_token)
-    end
-
     subject { described_class.new(deploy_token, project) }
 
     context 'private project' do
       let(:project) { private_project }
 
       context 'a deploy token with read_registry scope' do
-        let(:deploy_token) { create(:deploy_token, read_registry: true, write_registry: false) }
+        let(:deploy_token) { create(:deploy_token, read_registry: true, write_registry: false, projects: [project]) }
 
         it { is_expected.to be_allowed(:read_container_image) }
         it { is_expected.to be_disallowed(:create_container_image) }
@@ -1452,7 +1448,7 @@ RSpec.describe ProjectPolicy, feature_category: :system_access do
       end
 
       context 'a deploy token with write_registry scope' do
-        let(:deploy_token) { create(:deploy_token, read_registry: false, write_registry: true) }
+        let(:deploy_token) { create(:deploy_token, read_registry: false, write_registry: true, projects: [project]) }
 
         it { is_expected.to be_disallowed(:read_container_image) }
         it { is_expected.to be_allowed(:create_container_image) }
@@ -1466,14 +1462,14 @@ RSpec.describe ProjectPolicy, feature_category: :system_access do
       end
 
       context 'a deploy token with no registry scope' do
-        let(:deploy_token) { create(:deploy_token, read_registry: false, write_registry: false) }
+        let(:deploy_token) { create(:deploy_token, read_registry: false, write_registry: false, projects: [project]) }
 
         it { is_expected.to be_disallowed(:read_container_image) }
         it { is_expected.to be_disallowed(:create_container_image) }
       end
 
       context 'a deploy token with read_package_registry scope' do
-        let(:deploy_token) { create(:deploy_token, read_repository: false, read_registry: false, read_package_registry: true) }
+        let(:deploy_token) { create(:deploy_token, read_repository: false, read_registry: false, read_package_registry: true, projects: [project]) }
 
         it { is_expected.to be_allowed(:read_project) }
         it { is_expected.to be_allowed(:read_package) }
@@ -1483,7 +1479,7 @@ RSpec.describe ProjectPolicy, feature_category: :system_access do
       end
 
       context 'a deploy token with write_package_registry scope' do
-        let(:deploy_token) { create(:deploy_token, read_repository: false, read_registry: false, write_package_registry: true) }
+        let(:deploy_token) { create(:deploy_token, read_repository: false, read_registry: false, write_package_registry: true, projects: [project]) }
 
         it { is_expected.to be_allowed(:create_package) }
         it { is_expected.to be_allowed(:read_package) }
@@ -1498,7 +1494,7 @@ RSpec.describe ProjectPolicy, feature_category: :system_access do
       let(:project) { public_project }
 
       context 'a deploy token with read_registry scope' do
-        let(:deploy_token) { create(:deploy_token, read_registry: true, write_registry: false) }
+        let(:deploy_token) { create(:deploy_token, read_registry: true, write_registry: false, projects: [project]) }
 
         it { is_expected.to be_allowed(:read_container_image) }
         it { is_expected.to be_disallowed(:create_container_image) }
@@ -1519,7 +1515,7 @@ RSpec.describe ProjectPolicy, feature_category: :system_access do
       end
 
       context 'a deploy token with write_registry scope' do
-        let(:deploy_token) { create(:deploy_token, read_registry: false, write_registry: true) }
+        let(:deploy_token) { create(:deploy_token, read_registry: false, write_registry: true, projects: [project]) }
 
         it { is_expected.to be_allowed(:read_container_image) }
         it { is_expected.to be_allowed(:create_container_image) }
diff --git a/spec/requests/api/cargo_project_packages_spec.rb b/spec/requests/api/cargo_project_packages_spec.rb
index 232434f6182..af289d7e144 100644
--- a/spec/requests/api/cargo_project_packages_spec.rb
+++ b/spec/requests/api/cargo_project_packages_spec.rb
@@ -10,12 +10,14 @@ RSpec.describe API::CargoProjectPackages, feature_category: :package_registry do
   let_it_be(:group) { create(:group) }
   let_it_be(:project) { create(:project, group: group) }
   let_it_be(:personal_access_token) { create(:personal_access_token, user: user) }
-  let_it_be(:deploy_token) { create(:deploy_token, read_package_registry: true, write_package_registry: true) }
+  let_it_be(:deploy_token) do
+    create(:deploy_token, read_package_registry: true, write_package_registry: true, projects: [project])
+  end
+
   let_it_be(:deploy_token_without_permission) do
     create(:deploy_token, read_package_registry: false, write_package_registry: false)
   end
 
-  let_it_be(:project_deploy_token) { create(:project_deploy_token, deploy_token: deploy_token, project: project) }
   let_it_be(:job) { create(:ci_build, :running, user: user, project: project) }
   let(:headers) { {} }
 
diff --git a/spec/requests/api/composer_packages_spec.rb b/spec/requests/api/composer_packages_spec.rb
index 1fc06525a47..40fc90c40f4 100644
--- a/spec/requests/api/composer_packages_spec.rb
+++ b/spec/requests/api/composer_packages_spec.rb
@@ -9,10 +9,8 @@ RSpec.describe API::ComposerPackages, feature_category: :package_registry do
   let_it_be(:personal_access_token) { create(:personal_access_token, user: user) }
   let_it_be(:package_name) { 'package-name' }
   let_it_be(:project, reload: true) { create(:project, :custom_repo, files: { 'composer.json' => { name: package_name }.to_json }, group: group) }
-  let_it_be(:deploy_token_for_project) { create(:deploy_token, read_package_registry: true, write_package_registry: true) }
-  let_it_be(:project_deploy_token) { create(:project_deploy_token, deploy_token: deploy_token_for_project, project: project) }
-  let_it_be(:deploy_token_for_group) { create(:deploy_token, :group, read_package_registry: true, write_package_registry: true) }
-  let_it_be(:group_deploy_token) { create(:group_deploy_token, deploy_token: deploy_token_for_group, group: group) }
+  let_it_be(:deploy_token_for_project) { create(:deploy_token, read_package_registry: true, write_package_registry: true, projects: [project]) }
+  let_it_be(:deploy_token_for_group) { create(:deploy_token, :group, read_package_registry: true, write_package_registry: true, groups: [group]) }
   let_it_be(:job) { create(:ci_build, :running, user: user, project: project) }
 
   let(:snowplow_gitlab_standard_context) do
diff --git a/spec/requests/api/generic_packages_spec.rb b/spec/requests/api/generic_packages_spec.rb
index 6988ca56679..87f9d251094 100644
--- a/spec/requests/api/generic_packages_spec.rb
+++ b/spec/requests/api/generic_packages_spec.rb
@@ -11,18 +11,15 @@ RSpec.describe API::GenericPackages, feature_category: :package_registry do
   let_it_be(:personal_access_token) { create(:personal_access_token) }
   let_it_be(:project, reload: true) { create(:project) }
   let_it_be(:deploy_token_rw) do
-    create(:deploy_token, read_package_registry: true, write_package_registry: true)
-      .tap { |token| create(:project_deploy_token, deploy_token: token, project: project) }
+    create(:deploy_token, read_package_registry: true, write_package_registry: true, projects: [project])
   end
 
   let_it_be(:deploy_token_ro) do
-    create(:deploy_token, read_package_registry: true, write_package_registry: false)
-      .tap { |token| create(:project_deploy_token, deploy_token: token, project: project) }
+    create(:deploy_token, read_package_registry: true, write_package_registry: false, projects: [project])
   end
 
   let_it_be(:deploy_token_wo) do
-    create(:deploy_token, read_package_registry: false, write_package_registry: true)
-      .tap { |token| create(:project_deploy_token, deploy_token: token, project: project) }
+    create(:deploy_token, read_package_registry: false, write_package_registry: true, projects: [project])
   end
 
   let(:user) { personal_access_token.user }
diff --git a/spec/requests/api/graphql/mutations/alert_management/http_integration/create_spec.rb b/spec/requests/api/graphql/mutations/alert_management/http_integration/create_spec.rb
index 6c09567d32c..78e841a00f2 100644
--- a/spec/requests/api/graphql/mutations/alert_management/http_integration/create_spec.rb
+++ b/spec/requests/api/graphql/mutations/alert_management/http_integration/create_spec.rb
@@ -38,6 +38,32 @@ RSpec.describe 'Creating a new HTTP Integration', feature_category: :incident_ma
 
   it_behaves_like 'creating a new HTTP integration'
 
+  context 'with type argument' do
+    let(:variables) do
+      {
+        project_path: project.full_path,
+        active: false,
+        name: 'New HTTP Integration',
+        type: 'PROMETHEUS'
+      }
+    end
+
+    it_behaves_like 'creating a new HTTP integration', 'PROMETHEUS'
+  end
+
+  context 'with invalid type argument' do
+    let(:variables) do
+      {
+        project_path: project.full_path,
+        active: false,
+        name: 'New HTTP Integration',
+        type: 'UNKNOWN'
+      }
+    end
+
+    it_behaves_like 'an invalid argument to the mutation', argument_name: :type
+  end
+
   [:project_path, :active, :name].each do |argument|
     context "without required argument #{argument}" do
       before do
diff --git a/spec/requests/api/helm_packages_spec.rb b/spec/requests/api/helm_packages_spec.rb
index 6d1812bd28b..4b49c0dc49a 100644
--- a/spec/requests/api/helm_packages_spec.rb
+++ b/spec/requests/api/helm_packages_spec.rb
@@ -7,8 +7,7 @@ RSpec.describe API::HelmPackages, feature_category: :package_registry do
   using RSpec::Parameterized::TableSyntax
 
   let_it_be_with_reload(:project) { create(:project, :public) }
-  let_it_be(:deploy_token) { create(:deploy_token, read_package_registry: true, write_package_registry: true) }
-  let_it_be(:project_deploy_token) { create(:project_deploy_token, deploy_token: deploy_token, project: project) }
+  let_it_be(:deploy_token) { create(:deploy_token, read_package_registry: true, write_package_registry: true, projects: [project]) }
   let_it_be(:package) { create(:helm_package, project: project, without_package_files: true) }
   let_it_be(:package_file1) { create(:helm_package_file, package: package) }
   let_it_be(:package_file2) { create(:helm_package_file, package: package) }
diff --git a/spec/requests/api/maven_packages_spec.rb b/spec/requests/api/maven_packages_spec.rb
index 11564ab3e5c..9988a74957c 100644
--- a/spec/requests/api/maven_packages_spec.rb
+++ b/spec/requests/api/maven_packages_spec.rb
@@ -18,10 +18,8 @@ RSpec.describe API::MavenPackages, feature_category: :package_registry do
   let_it_be(:jar_file) { package.package_files.with_file_name_like('%.jar').first }
   let_it_be(:personal_access_token) { create(:personal_access_token, user: user) }
   let_it_be(:job, reload: true) { create(:ci_build, user: user, status: :running, project: project) }
-  let_it_be(:deploy_token) { create(:deploy_token, read_package_registry: true, write_package_registry: true) }
-  let_it_be(:project_deploy_token) { create(:project_deploy_token, deploy_token: deploy_token, project: project) }
-  let_it_be(:deploy_token_for_group) { create(:deploy_token, :group, read_package_registry: true, write_package_registry: true) }
-  let_it_be(:group_deploy_token) { create(:group_deploy_token, deploy_token: deploy_token_for_group, group: group) }
+  let_it_be(:deploy_token) { create(:deploy_token, read_package_registry: true, write_package_registry: true, projects: [project]) }
+  let_it_be(:deploy_token_for_group) { create(:deploy_token, :group, read_package_registry: true, write_package_registry: true, groups: [group]) }
 
   let(:snowplow_gitlab_standard_context) { { project: project, namespace: project.namespace, user: user, property: 'i_package_maven_user' } }
 
@@ -451,7 +449,10 @@ RSpec.describe API::MavenPackages, feature_category: :package_registry do
           another_user = create(:user)
           project.add_developer(another_user)
 
-          # We force the id of the deploy token and the user to be the same
+          # We force the id of the deploy token and the user to be the same,
+          # which requires deleting the joining record as we cannot update
+          # the id while foreign keys reference it.
+          unauthorized_deploy_token.project_deploy_tokens.delete_all(:delete_all)
           unauthorized_deploy_token.update!(id: another_user.id)
 
           download_file(
@@ -963,7 +964,10 @@ RSpec.describe API::MavenPackages, feature_category: :package_registry do
       another_user = create(:user)
       project.add_developer(another_user)
 
-      # We force the id of the deploy token and the user to be the same
+      # We force the id of the deploy token and the user to be the same,
+      # which requires deleting the joining record as we cannot update
+      # the id while foreign keys reference it.
+      unauthorized_deploy_token.project_deploy_tokens.delete_all(:delete_all)
       unauthorized_deploy_token.update!(id: another_user.id)
 
       authorize_upload({}, headers.merge(Gitlab::Auth::AuthFinders::DEPLOY_TOKEN_HEADER => unauthorized_deploy_token.token))
@@ -1191,10 +1195,13 @@ RSpec.describe API::MavenPackages, feature_category: :package_registry do
       it 'rejects uploads by a unauthorized deploy token with same id as a user with access' do
         unauthorized_deploy_token = create(:deploy_token, read_package_registry: true, write_package_registry: true)
 
-        another_user = create(:user)
+        another_user = create(:user, id: unauthorized_deploy_token.id)
         project.add_developer(another_user)
 
-        # We force the id of the deploy token and the user to be the same
+        # We force the id of the deploy token and the user to be the same,
+        # which requires deleting the joining record as we cannot update
+        # the id while foreign keys reference it.
+        unauthorized_deploy_token.project_deploy_tokens.delete_all(:delete_all)
         unauthorized_deploy_token.update!(id: another_user.id)
 
         upload_file(
diff --git a/spec/requests/api/nuget_project_packages_spec.rb b/spec/requests/api/nuget_project_packages_spec.rb
index 662804d6db3..098f1b341df 100644
--- a/spec/requests/api/nuget_project_packages_spec.rb
+++ b/spec/requests/api/nuget_project_packages_spec.rb
@@ -7,8 +7,10 @@ RSpec.describe API::NugetProjectPackages, feature_category: :package_registry do
 
   using RSpec::Parameterized::TableSyntax
 
-  let_it_be(:deploy_token) { create(:deploy_token, read_package_registry: true, write_package_registry: true) }
-  let_it_be(:project_deploy_token) { create(:project_deploy_token, deploy_token: deploy_token, project: project) }
+  let_it_be(:deploy_token) do
+    create(:deploy_token, read_package_registry: true, write_package_registry: true, projects: [project])
+  end
+
   let_it_be(:package_name) { 'Dummy.Package' }
 
   let(:target) { project }
diff --git a/spec/requests/api/pypi_packages_spec.rb b/spec/requests/api/pypi_packages_spec.rb
index 96b7e8556b2..259cd283e53 100644
--- a/spec/requests/api/pypi_packages_spec.rb
+++ b/spec/requests/api/pypi_packages_spec.rb
@@ -11,8 +11,7 @@ RSpec.describe API::PypiPackages, feature_category: :package_registry do
   let_it_be_with_reload(:group) { create(:group) }
   let_it_be_with_reload(:project) { create(:project, :public, group: group) }
   let_it_be(:personal_access_token) { create(:personal_access_token, user: user) }
-  let_it_be(:deploy_token) { create(:deploy_token, read_package_registry: true, write_package_registry: true) }
-  let_it_be(:project_deploy_token) { create(:project_deploy_token, deploy_token: deploy_token, project: project) }
+  let_it_be(:deploy_token) { create(:deploy_token, read_package_registry: true, write_package_registry: true, projects: [project]) }
   let_it_be(:job) { create(:ci_build, :running, user: user, project: project) }
 
   let(:snowplow_gitlab_standard_context) { snowplow_context }
diff --git a/spec/requests/api/rpm_project_packages_spec.rb b/spec/requests/api/rpm_project_packages_spec.rb
index b6c8fb87655..c0044d711e0 100644
--- a/spec/requests/api/rpm_project_packages_spec.rb
+++ b/spec/requests/api/rpm_project_packages_spec.rb
@@ -13,8 +13,10 @@ RSpec.describe API::RpmProjectPackages, feature_category: :package_registry do
   let_it_be_with_reload(:project) { create(:project, :public, group: group) }
   let_it_be(:user) { create(:user) }
   let_it_be(:personal_access_token) { create(:personal_access_token, user: user) }
-  let_it_be(:deploy_token) { create(:deploy_token, read_package_registry: true, write_package_registry: true) }
-  let_it_be(:project_deploy_token) { create(:project_deploy_token, deploy_token: deploy_token, project: project) }
+  let_it_be(:deploy_token) do
+    create(:deploy_token, read_package_registry: true, write_package_registry: true, projects: [project])
+  end
+
   let_it_be(:job) { create(:ci_build, :running, user: user, project: project) }
 
   let(:headers) { {} }
diff --git a/spec/requests/api/rubygem_packages_spec.rb b/spec/requests/api/rubygem_packages_spec.rb
index d8c110e9a7b..d4387ddd041 100644
--- a/spec/requests/api/rubygem_packages_spec.rb
+++ b/spec/requests/api/rubygem_packages_spec.rb
@@ -19,8 +19,7 @@ RSpec.describe API::RubygemPackages, feature_category: :package_registry do
   let_it_be(:personal_access_token) { create(:personal_access_token) }
   let_it_be(:user) { personal_access_token.user }
   let_it_be(:job) { create(:ci_build, :running, user: user, project: project) }
-  let_it_be(:deploy_token) { create(:deploy_token, read_package_registry: true, write_package_registry: true) }
-  let_it_be(:project_deploy_token) { create(:project_deploy_token, deploy_token: deploy_token, project: project) }
+  let_it_be(:deploy_token) { create(:deploy_token, read_package_registry: true, write_package_registry: true, projects: [project]) }
   let_it_be(:headers) { {} }
 
   let(:snowplow_gitlab_standard_context) { snowplow_context }
diff --git a/spec/requests/groups/work_items_controller_spec.rb b/spec/requests/groups/work_items_controller_spec.rb
index c411a28ec2b..2a1bb354ada 100644
--- a/spec/requests/groups/work_items_controller_spec.rb
+++ b/spec/requests/groups/work_items_controller_spec.rb
@@ -90,5 +90,28 @@ RSpec.describe 'Group Level Work Items', feature_category: :team_planning do
 
       expect(response).to have_gitlab_http_status(:not_found)
     end
+
+    context 'when the new page gets requested' do
+      let(:iid) { 'new' }
+
+      context "with signed in user" do
+        it 'renders show' do
+          get work_items_path
+
+          expect(response).to have_gitlab_http_status(:ok)
+          expect(response).to render_template(:show)
+        end
+      end
+
+      context "with signed out user" do
+        let(:current_user) { create(:user) }
+
+        it 'returns not found' do
+          get work_items_path
+
+          expect(response).to have_gitlab_http_status(:not_found)
+        end
+      end
+    end
   end
 end
diff --git a/spec/services/import/gitlab_projects/file_acquisition_strategies/remote_file_spec.rb b/spec/services/import/gitlab_projects/file_acquisition_strategies/remote_file_spec.rb
index a1df6357eca..d91fcf69146 100644
--- a/spec/services/import/gitlab_projects/file_acquisition_strategies/remote_file_spec.rb
+++ b/spec/services/import/gitlab_projects/file_acquisition_strategies/remote_file_spec.rb
@@ -44,13 +44,13 @@ RSpec.describe ::Import::GitlabProjects::FileAcquisitionStrategies::RemoteFile,
 
     context 'when the HTTP request fails to recover the headers' do
       it 'adds the error message' do
-        expect(Gitlab::HTTP)
+        expect(Import::Clients::HTTP)
           .to receive(:head)
           .and_raise(StandardError, 'request invalid')
 
         expect(subject).not_to be_valid
         expect(subject.errors.full_messages)
-          .to include('Failed to retrive headers: request invalid')
+          .to include('Failed to retrieve headers: request invalid')
       end
     end
 
@@ -101,7 +101,7 @@ RSpec.describe ::Import::GitlabProjects::FileAcquisitionStrategies::RemoteFile,
   end
 
   def stub_headers_for(url, headers = {})
-    allow(Gitlab::HTTP)
+    allow(Import::Clients::HTTP)
       .to receive(:head)
       .with(remote_url, timeout: 1.second)
       .and_return(double(headers: headers)) # rubocop: disable RSpec/VerifiedDoubles
diff --git a/spec/services/integrations/slack_interactions/incident_management/incident_modal_closed_service_spec.rb b/spec/services/integrations/slack_interactions/incident_management/incident_modal_closed_service_spec.rb
index 64cddf9a66b..3f21656a7f3 100644
--- a/spec/services/integrations/slack_interactions/incident_management/incident_modal_closed_service_spec.rb
+++ b/spec/services/integrations/slack_interactions/incident_management/incident_modal_closed_service_spec.rb
@@ -30,8 +30,9 @@ RSpec.describe Integrations::SlackInteractions::IncidentManagement::IncidentModa
       it 'makes the POST call and closes the modal' do
         expect(Gitlab::HTTP).to receive(:post).with(
           'https://api.slack.com/id/1234',
-          body: Gitlab::Json.dump(request_body),
-          headers: { 'Content-Type' => 'application/json' }
+          { body: Gitlab::Json.dump(request_body),
+            headers: { 'Content-Type' => 'application/json' },
+            max_bytes: an_instance_of(Integer) }
         )
 
         service.execute
diff --git a/spec/services/integrations/slack_interactions/incident_management/incident_modal_submit_service_spec.rb b/spec/services/integrations/slack_interactions/incident_management/incident_modal_submit_service_spec.rb
index adaeadaa997..7eeee9fd336 100644
--- a/spec/services/integrations/slack_interactions/incident_management/incident_modal_submit_service_spec.rb
+++ b/spec/services/integrations/slack_interactions/incident_management/incident_modal_submit_service_spec.rb
@@ -110,13 +110,16 @@ RSpec.describe Integrations::SlackInteractions::IncidentManagement::IncidentModa
         expect(Gitlab::HTTP).to receive(:post)
           .with(
             api_url,
-            body: Gitlab::Json.dump(
-              {
-                replace_original: 'true',
-                text: 'There was a problem creating the incident. Please try again.'
-              }
-            ),
-            headers: { 'Content-Type' => 'application/json' }
+            {
+              body: Gitlab::Json.dump(
+                {
+                  replace_original: 'true',
+                  text: 'There was a problem creating the incident. Please try again.'
+                }
+              ),
+              headers: { 'Content-Type' => 'application/json' },
+              max_bytes: an_instance_of(Integer)
+            }
           )
 
         response = execute_service
@@ -151,14 +154,17 @@ RSpec.describe Integrations::SlackInteractions::IncidentManagement::IncidentModa
           expect(Gitlab::HTTP).to receive(:post)
             .with(
               api_url,
-              body: Gitlab::Json.dump(
-                {
-                  replace_original: 'true',
-                  text: "New incident has been created: " \
-                        "<#{issue_url(incident)}|#{incident.to_reference} - a href=\"url\"incident title/a>. "
-                }
-              ),
-              headers: { 'Content-Type' => 'application/json' }
+              {
+                body: Gitlab::Json.dump(
+                  {
+                    replace_original: 'true',
+                    text: "New incident has been created: " \
+                          "<#{issue_url(incident)}|#{incident.to_reference} - a href=\"url\"incident title/a>. "
+                  }
+                ),
+                headers: { 'Content-Type' => 'application/json' },
+                max_bytes: an_instance_of(Integer)
+              }
             ).and_return(api_response)
 
           execute_service
diff --git a/spec/services/projects/lfs_pointers/lfs_download_link_list_service_spec.rb b/spec/services/projects/lfs_pointers/lfs_download_link_list_service_spec.rb
index 574e7f36e78..de98e4c5342 100644
--- a/spec/services/projects/lfs_pointers/lfs_download_link_list_service_spec.rb
+++ b/spec/services/projects/lfs_pointers/lfs_download_link_list_service_spec.rb
@@ -84,7 +84,7 @@ RSpec.describe Projects::LfsPointers::LfsDownloadLinkListService, feature_catego
       end
 
       def stub_request(batch, response)
-        expect(Gitlab::HTTP).to receive(:post).with(
+        expect(Import::Clients::HTTP).to receive(:post).with(
           remote_uri,
           {
             body: { operation: 'download', objects: batch.map { |k, v| { oid: k, size: v } } }.to_json,
@@ -133,7 +133,7 @@ RSpec.describe Projects::LfsPointers::LfsDownloadLinkListService, feature_catego
             stub_successful_request([data[4]])
           end
 
-          it 'retreives them eventually and logs exceptions' do
+          it 'retrieves them eventually and logs exceptions' do
             expect(Gitlab::ErrorTracking).to receive(:track_exception).with(
               an_instance_of(error_class), project_id: project.id, batch_size: 5, oids_count: 5
             )
diff --git a/spec/support/shared_contexts/requests/api/npm_packages_shared_context.rb b/spec/support/shared_contexts/requests/api/npm_packages_shared_context.rb
index cf5ac849f63..20f92473b4d 100644
--- a/spec/support/shared_contexts/requests/api/npm_packages_shared_context.rb
+++ b/spec/support/shared_contexts/requests/api/npm_packages_shared_context.rb
@@ -12,8 +12,7 @@ RSpec.shared_context 'npm api setup' do
   let_it_be(:token) { create(:oauth_access_token, scopes: 'api', resource_owner: user) }
   let_it_be(:personal_access_token) { create(:personal_access_token, user: user) }
   let_it_be(:job, reload: true) { create(:ci_build, user: user, status: :running, project: project) }
-  let_it_be(:deploy_token) { create(:deploy_token, read_package_registry: true, write_package_registry: true) }
-  let_it_be(:project_deploy_token) { create(:project_deploy_token, deploy_token: deploy_token, project: project) }
+  let_it_be(:deploy_token) { create(:deploy_token, read_package_registry: true, write_package_registry: true, projects: [project]) }
 
   let(:package_name) { package.name }
   let(:snowplow_gitlab_standard_context) { { project: project, namespace: project.namespace, property: 'i_package_npm_user' } }
diff --git a/spec/support/shared_contexts/requests/api/terraform_modules_shared_context.rb b/spec/support/shared_contexts/requests/api/terraform_modules_shared_context.rb
index 359664ee4f3..0a4db597fb3 100644
--- a/spec/support/shared_contexts/requests/api/terraform_modules_shared_context.rb
+++ b/spec/support/shared_contexts/requests/api/terraform_modules_shared_context.rb
@@ -10,8 +10,9 @@ RSpec.shared_context 'for terraform modules api setup' do
   let_it_be(:personal_access_token) { create(:personal_access_token) }
   let_it_be(:user) { personal_access_token.user }
   let_it_be(:job) { create(:ci_build, :running, user: user, project: project) }
-  let_it_be(:deploy_token) { create(:deploy_token, read_package_registry: true, write_package_registry: true) }
-  let_it_be(:project_deploy_token) { create(:project_deploy_token, deploy_token: deploy_token, project: project) }
+  let_it_be(:deploy_token) do
+    create(:deploy_token, read_package_registry: true, write_package_registry: true, projects: [project])
+  end
 
   let(:headers) { {} }
   let(:token) { tokens[token_type] }
diff --git a/spec/support/shared_examples/graphql/mutations/http_integrations_shared_examples.rb b/spec/support/shared_examples/graphql/mutations/http_integrations_shared_examples.rb
index 4468af1a603..091ee171b4a 100644
--- a/spec/support/shared_examples/graphql/mutations/http_integrations_shared_examples.rb
+++ b/spec/support/shared_examples/graphql/mutations/http_integrations_shared_examples.rb
@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 
-RSpec.shared_examples 'creating a new HTTP integration' do
+RSpec.shared_examples 'creating a new HTTP integration' do |type = 'HTTP'|
   it 'creates a new integration' do
     post_graphql_mutation(mutation, current_user: current_user)
 
@@ -9,7 +9,7 @@ RSpec.shared_examples 'creating a new HTTP integration' do
 
     expect(response).to have_gitlab_http_status(:success)
     expect(integration_response['id']).to eq(GitlabSchema.id_from_object(new_integration).to_s)
-    expect(integration_response['type']).to eq('HTTP')
+    expect(integration_response['type']).to eq(type)
     expect(integration_response['name']).to eq(new_integration.name)
     expect(integration_response['active']).to eq(new_integration.active)
     expect(integration_response['token']).to eq(new_integration.token)
diff --git a/spec/support/shared_examples/models/concerns/integrations/base/asana_shared_examples.rb b/spec/support/shared_examples/models/concerns/integrations/base/asana_shared_examples.rb
index 61cf0bbc9cb..a063c7f75be 100644
--- a/spec/support/shared_examples/models/concerns/integrations/base/asana_shared_examples.rb
+++ b/spec/support/shared_examples/models/concerns/integrations/base/asana_shared_examples.rb
@@ -45,7 +45,8 @@ RSpec.shared_examples Integrations::Base::Asana do
         body: {
           completed: true
         },
-        headers: { "Authorization" => "Bearer verySecret" }
+        headers: { "Authorization" => "Bearer verySecret" },
+        max_bytes: an_instance_of(Integer)
       }
     end
 
@@ -98,7 +99,8 @@ RSpec.shared_examples Integrations::Base::Asana do
           body: {
             text: "#{user.name} pushed to branch main of #{project.full_name} ( https://gitlab.com/ ): #{message}"
           },
-          headers: { "Authorization" => "Bearer verySecret" }
+          headers: { "Authorization" => "Bearer verySecret" },
+          max_bytes: an_instance_of(Integer)
         }
       end
 
diff --git a/spec/support/shared_examples/models/concerns/integrations/base/telegram_shared_examples.rb b/spec/support/shared_examples/models/concerns/integrations/base/telegram_shared_examples.rb
index 270fb159dab..515656a6271 100644
--- a/spec/support/shared_examples/models/concerns/integrations/base/telegram_shared_examples.rb
+++ b/spec/support/shared_examples/models/concerns/integrations/base/telegram_shared_examples.rb
@@ -87,8 +87,10 @@ RSpec.shared_examples Integrations::Base::Telegram do
     end
 
     it 'removes the parse mode if the first request fails with a bad request' do
-      expect(Gitlab::HTTP).to receive(:post).with(integration.webhook, headers: header, body: Gitlab::Json.dump(body_1))
-      expect(Gitlab::HTTP).to receive(:post).with(integration.webhook, headers: header, body: Gitlab::Json.dump(body_2))
+      expect(Gitlab::HTTP).to receive(:post).with(integration.webhook,
+        { headers: header, body: Gitlab::Json.dump(body_1), max_bytes: an_instance_of(Integer) })
+      expect(Gitlab::HTTP).to receive(:post).with(integration.webhook,
+        { headers: header, body: Gitlab::Json.dump(body_2), max_bytes: an_instance_of(Integer) })
 
       integration.send(:notify, message, {})
     end
diff --git a/spec/support/shared_examples/models/concerns/web_hooks/web_hook_shared_examples.rb b/spec/support/shared_examples/models/concerns/web_hooks/web_hook_shared_examples.rb
index e890ee0fdad..1fa93d2d8f6 100644
--- a/spec/support/shared_examples/models/concerns/web_hooks/web_hook_shared_examples.rb
+++ b/spec/support/shared_examples/models/concerns/web_hooks/web_hook_shared_examples.rb
@@ -20,6 +20,8 @@ RSpec.shared_examples 'a webhook' do |factory:|
     it { is_expected.to validate_length_of(:custom_webhook_template).is_at_most(4096) }
     it { is_expected.to validate_length_of(:name).is_at_most(255) }
     it { is_expected.to validate_length_of(:description).is_at_most(2048) }
+    it { is_expected.to validate_length_of(:url).is_at_most(described_class::MAX_PARAM_LENGTH) }
+    it { is_expected.to validate_length_of(:token).is_at_most(described_class::MAX_PARAM_LENGTH) }
 
     describe 'url_variables' do
       it { is_expected.to allow_value({}).for(:url_variables) }
@@ -110,6 +112,33 @@ RSpec.shared_examples 'a webhook' do |factory:|
         end
       end
 
+      context 'when testing PublicUrlValidator execution around MAX_PARAM_LENGTH threshold' do
+        # Ensures invalid URLs are rejected at all lengths around MAX_PARAM_LENGTH boundary.
+        # PublicUrlValidator runs only when length <= MAX_PARAM_LENGTH, so we verify
+        # the webhook stays invalid whether rejected by URL format or by length.
+
+        let(:invalid_url_base) { 'ftp://example.com/' }
+        let(:padding_to_max_length) { described_class::MAX_PARAM_LENGTH - invalid_url_base.length }
+
+        context 'with URL length 1 less than MAX_PARAM_LENGTH' do
+          let(:url) { invalid_url_base + ('x' * (padding_to_max_length - 1)) }
+
+          it { is_expected.not_to allow_value(url).for(:url).with_message(including('allowed schemes are http')) }
+        end
+
+        context 'with URL length exactly MAX_PARAM_LENGTH' do
+          let(:url) { invalid_url_base + ('x' * padding_to_max_length) }
+
+          it { is_expected.not_to allow_value(url).for(:url).with_message(including('allowed schemes are http')) }
+        end
+
+        context 'with URL length 1 more than MAX_PARAM_LENGTH' do
+          let(:url) { invalid_url_base + ('x' * (padding_to_max_length + 1)) }
+
+          it { is_expected.not_to allow_value(url).for(:url).with_message(including('is too long')) }
+        end
+      end
+
       it 'strips :url before saving it' do
         hook.url = ' https://example.com '
         hook.save!
diff --git a/spec/support/shared_examples/policies/project_policy_shared_examples.rb b/spec/support/shared_examples/policies/project_policy_shared_examples.rb
index 682a1ce076e..11dfbf11e5b 100644
--- a/spec/support/shared_examples/policies/project_policy_shared_examples.rb
+++ b/spec/support/shared_examples/policies/project_policy_shared_examples.rb
@@ -91,6 +91,10 @@ end
 
 RSpec.shared_examples 'deploy token does not get confused with user' do
   before do
+    # We force the id of the deploy token and the user to be the same,
+    # which requires deleting the joining record as we cannot update
+    # the id while foreign keys reference it.
+    deploy_token.project_deploy_tokens.delete_all(:delete_all)
     deploy_token.update!(id: user_id)
 
     # Project with public builds are available to all
diff --git a/spec/support/shared_examples/services/deploy_token_shared_examples.rb b/spec/support/shared_examples/services/deploy_token_shared_examples.rb
index 263a98fa780..85e787ba1b3 100644
--- a/spec/support/shared_examples/services/deploy_token_shared_examples.rb
+++ b/spec/support/shared_examples/services/deploy_token_shared_examples.rb
@@ -2,7 +2,14 @@
 
 RSpec.shared_examples 'a deploy token creation service' do
   let(:user) { create(:user) }
-  let(:deploy_token_params) { attributes_for(:deploy_token) }
+  let(:deploy_token_params) { default_attributes }
+
+  def default_attributes(overrides = {})
+    {
+      name: 'Deploy Token',
+      read_repository: true
+    }.merge(overrides)
+  end
 
   describe '#execute' do
     subject { described_class.new(entity, user, deploy_token_params).execute }
@@ -32,7 +39,7 @@ RSpec.shared_examples 'a deploy token creation service' do
     end
 
     context 'when expires at date is not passed' do
-      let(:deploy_token_params) { attributes_for(:deploy_token, expires_at: '') }
+      let(:deploy_token_params) { default_attributes(expires_at: '') }
 
       it 'sets Forever.date' do
         expect(subject[:deploy_token].read_attribute(:expires_at)).to eq(Forever.date)
@@ -40,7 +47,7 @@ RSpec.shared_examples 'a deploy token creation service' do
     end
 
     context 'when username is empty string' do
-      let(:deploy_token_params) { attributes_for(:deploy_token, username: '') }
+      let(:deploy_token_params) { default_attributes(username: '') }
 
       it 'converts it to nil' do
         expect(subject[:deploy_token].read_attribute(:username)).to be_nil
@@ -48,7 +55,7 @@ RSpec.shared_examples 'a deploy token creation service' do
     end
 
     context 'when username is provided' do
-      let(:deploy_token_params) { attributes_for(:deploy_token, username: 'deployer') }
+      let(:deploy_token_params) { default_attributes(username: 'deployer') }
 
       it 'keeps the provided username' do
         expect(subject[:deploy_token].read_attribute(:username)).to eq('deployer')
@@ -57,7 +64,7 @@ RSpec.shared_examples 'a deploy token creation service' do
 
     context 'when the deploy token is invalid' do
       let(:deploy_token_params) do
-        attributes_for(:deploy_token, read_repository: false, read_registry: false, write_registry: false)
+        default_attributes(read_repository: false, read_registry: false, write_registry: false)
       end
 
       it 'does not create a new DeployToken' do