Web anything doesn't belong on a security device ..
“A specially crafted HTTP request sends a password reset link to an unverified, attacker-controlled email address, enabling unauthorized account takeovers.”
The US Cybersecurity and Infrastructure Security Agency (CISA) is forcing all federal agencies to patch a critical vulnerability in GitLab's Community and Enterprise editions, confirming it is very much under "active exploit." When CISA adds a vulnerability to its Known Exploited Vulnerabilities (KEV) list, it means all …
You're absolutely right, except you're wrong because today, developers have the habit ingrained in their skulls that production servers should download code from 3rd-party servers.
It's in the bloodstream now, there's nothing anyone can do about it - except the miscreants.
If they create enough mayhem, bloodshed and tears to make all CTOs and CIOs scream for keeping production server code under control, then we might get back to those hallowed times when an admin actually knew what was running on the server he was responsible for.
But, these days, the mantra is "move fast and break things" and, boy, how we are setting ourselves up to be broken . . .
Gitlab has always been crap, just look at its ugly urls, at least Github has nice urls that can easily be edited to select another pull request or repo, but nope everything in gitlab are database ids because using human readable names in urls is too hard.
Same problem with Bitbucket.
Funny how they are also the sources of considerable numbers of very basic security exploits, while github with its better urls also has better security.
So congratulations on your shitty urls to save a few hours of effort, i guess the same is also true of your code reviews and efforts in doing the right thing about security. Just rush it thru.