Any vendor Gitlab works with already has potential access. Just because you have a known front-end attack vector doesn’t mean you’ve gone from 1 to 4. You’ve been at N the whole time, it just hasn’t been as visible.
FWIW I agree that on-page JS on pages with source code is a terrible idea, but that’s easily fixable and doesn’t seem to be at the root of the issue.
FWIW I agree that on-page JS on pages with source code is a terrible idea, but that’s easily fixable and doesn’t seem to be at the root of the issue.