diff --git a/app/assets/stylesheets/pages/issues.scss b/app/assets/stylesheets/pages/issues.scss
index 25f5c0407f75..880231f5644a 100644
--- a/app/assets/stylesheets/pages/issues.scss
+++ b/app/assets/stylesheets/pages/issues.scss
@@ -1,3 +1,51 @@
+.issue-token-link {
+  &[href] {
+    color: $blue-600;
+  }
+
+  &:hover,
+  &:focus {
+    outline: none;
+    text-decoration: none;
+  }
+}
+
+.issue-token-reference {
+  margin-right: 1px;
+  background-color: $gray-lighter;
+  transition: background $general-hover-transition-duration $general-hover-transition-curve, color $general-hover-transition-duration $general-hover-transition-curve;
+
+  .issue-token:hover &,
+  .issue-token-link:focus > & {
+    background-color: $gray-normal;
+    color: $blue-800;
+    text-decoration: none;
+  }
+}
+
+.issue-token-title {
+  background-color: $gray-normal;
+  transition: background $general-hover-transition-duration $general-hover-transition-curve;
+
+  .issue-token:hover &,
+  .issue-token-link:focus > & {
+    background-color: $border-gray-normal;
+  }
+}
+
+.issue-token-remove-button {
+  background-color: $gray-normal;
+  transition: background $general-hover-transition-duration $general-hover-transition-curve;
+
+  &:hover,
+  &:focus,
+  .issue-token:hover &,
+  .issue-token-link:focus + & {
+    background-color: $border-gray-normal;
+    outline: none;
+  }
+}
+
 .issue-realtime-pre-pulse {
   opacity: 0;
 }
diff --git a/app/controllers/profiles/two_factor_auths_controller.rb b/app/controllers/profiles/two_factor_auths_controller.rb
index d1b9485f06da..3e397684ffe5 100644
--- a/app/controllers/profiles/two_factor_auths_controller.rb
+++ b/app/controllers/profiles/two_factor_auths_controller.rb
@@ -231,8 +231,6 @@ def groups_notification(groups)
   end
 
   def ensure_verified_primary_email
-    return unless Feature.enabled?(:ensure_verified_primary_email_for_2fa, default_enabled: :yaml)
-
     unless current_user.two_factor_enabled? || current_user.primary_email_verified?
       redirect_to profile_emails_path, notice: s_('You need to verify your primary email first before enabling Two-Factor Authentication.')
     end
diff --git a/app/services/ci/stuck_builds/drop_scheduled_service.rb b/app/services/ci/stuck_builds/drop_scheduled_service.rb
new file mode 100644
index 000000000000..bc794f3fcead
--- /dev/null
+++ b/app/services/ci/stuck_builds/drop_scheduled_service.rb
@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+module Ci
+  module StuckBuilds
+    class DropScheduledService
+      include DropHelpers
+
+      BUILD_SCHEDULED_OUTDATED_TIMEOUT = 1.hour
+
+      def execute
+        Gitlab::AppLogger.info "#{self.class}: Cleaning scheduled, timed-out builds"
+
+        drop(scheduled_timed_out_builds, failure_reason: :stale_schedule)
+      end
+
+      private
+
+      def scheduled_timed_out_builds
+        Ci::Build.where(status: :scheduled).where( # rubocop: disable CodeReuse/ActiveRecord
+          'ci_builds.scheduled_at IS NOT NULL AND ci_builds.scheduled_at < ?',
+          BUILD_SCHEDULED_OUTDATED_TIMEOUT.ago
+        )
+      end
+    end
+  end
+end
diff --git a/app/services/ci/stuck_builds/drop_service.rb b/app/services/ci/stuck_builds/drop_service.rb
index dbc1860eb2ba..0f8375e0cf16 100644
--- a/app/services/ci/stuck_builds/drop_service.rb
+++ b/app/services/ci/stuck_builds/drop_service.rb
@@ -6,7 +6,6 @@ class DropService
       include DropHelpers
 
       BUILD_PENDING_OUTDATED_TIMEOUT = 1.day
-      BUILD_SCHEDULED_OUTDATED_TIMEOUT = 1.hour
       BUILD_PENDING_STUCK_TIMEOUT = 1.hour
       BUILD_LOOKBACK = 5.days
 
@@ -18,8 +17,6 @@ def execute
           failure_reason: :stuck_or_timeout_failure
         )
 
-        drop(scheduled_timed_out_builds, failure_reason: :stale_schedule)
-
         drop_stuck(
           pending_builds(BUILD_PENDING_STUCK_TIMEOUT.ago),
           failure_reason: :stuck_or_timeout_failure
@@ -40,13 +37,6 @@ def pending_builds(timeout)
         end
       end
       # rubocop: enable CodeReuse/ActiveRecord
-
-      def scheduled_timed_out_builds
-        Ci::Build.where(status: :scheduled).where( # rubocop: disable CodeReuse/ActiveRecord
-          'ci_builds.scheduled_at IS NOT NULL AND ci_builds.scheduled_at < ?',
-          BUILD_SCHEDULED_OUTDATED_TIMEOUT.ago
-        )
-      end
     end
   end
 end
diff --git a/app/workers/all_queues.yml b/app/workers/all_queues.yml
index 802697b66e16..ebb4e777b441 100644
--- a/app/workers/all_queues.yml
+++ b/app/workers/all_queues.yml
@@ -237,6 +237,15 @@
   :weight: 1
   :idempotent: true
   :tags: []
+- :name: cronjob:ci_stuck_builds_drop_scheduled
+  :worker_name: Ci::StuckBuilds::DropScheduledWorker
+  :feature_category: :continuous_integration
+  :has_external_dependencies:
+  :urgency: :low
+  :resource_boundary: :unknown
+  :weight: 1
+  :idempotent: true
+  :tags: []
 - :name: cronjob:container_expiration_policy
   :worker_name: ContainerExpirationPolicyWorker
   :feature_category: :container_registry
diff --git a/app/workers/ci/stuck_builds/drop_scheduled_worker.rb b/app/workers/ci/stuck_builds/drop_scheduled_worker.rb
new file mode 100644
index 000000000000..923841771cf9
--- /dev/null
+++ b/app/workers/ci/stuck_builds/drop_scheduled_worker.rb
@@ -0,0 +1,34 @@
+# frozen_string_literal: true
+
+module Ci
+  module StuckBuilds
+    class DropScheduledWorker
+      include ApplicationWorker
+      include ExclusiveLeaseGuard
+
+      idempotent!
+
+      # rubocop:disable Scalability/CronWorkerContext
+      # This is an instance-wide cleanup query, so there's no meaningful
+      # scope to consider this in the context of.
+      include CronjobQueue
+      # rubocop:enable Scalability/CronWorkerContext
+
+      data_consistency :always
+
+      feature_category :continuous_integration
+
+      def perform
+        try_obtain_lease do
+          Ci::StuckBuilds::DropScheduledService.new.execute
+        end
+      end
+
+      private
+
+      def lease_timeout
+        30.minutes
+      end
+    end
+  end
+end
diff --git a/app/workers/stuck_ci_jobs_worker.rb b/app/workers/stuck_ci_jobs_worker.rb
index d87e866d8a70..6282c9200b10 100644
--- a/app/workers/stuck_ci_jobs_worker.rb
+++ b/app/workers/stuck_ci_jobs_worker.rb
@@ -18,6 +18,7 @@ class StuckCiJobsWorker # rubocop:disable Scalability/IdempotentWorker
 
   def perform
     Ci::StuckBuilds::DropRunningWorker.perform_in(20.minutes)
+    Ci::StuckBuilds::DropScheduledWorker.perform_in(40.minutes)
 
     return unless try_obtain_lease
 
diff --git a/config/feature_flags/development/ensure_verified_primary_email_for_2fa.yml b/config/feature_flags/development/ensure_verified_primary_email_for_2fa.yml
deleted file mode 100644
index 7a52486d3569..000000000000
--- a/config/feature_flags/development/ensure_verified_primary_email_for_2fa.yml
+++ /dev/null
@@ -1,8 +0,0 @@
----
-name: ensure_verified_primary_email_for_2fa
-introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/69593
-rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/340151
-milestone: '14.3'
-type: development
-group: group::access
-default_enabled: true
diff --git a/doc/administration/gitaly/index.md b/doc/administration/gitaly/index.md
index e15812a92cd8..c689530e12c4 100644
--- a/doc/administration/gitaly/index.md
+++ b/doc/administration/gitaly/index.md
@@ -21,11 +21,11 @@ storage and retrieval. Gitaly can be:
 Gitaly implements a client-server architecture:
 
 - A Gitaly server is any node that runs Gitaly itself.
-- A Gitaly client is any node that runs a process that makes requests of the Gitaly server. These
-  include, but are not limited to:
-  - [GitLab Rails application](https://gitlab.com/gitlab-org/gitlab).
-  - [GitLab Shell](https://gitlab.com/gitlab-org/gitlab-shell).
-  - [GitLab Workhorse](https://gitlab.com/gitlab-org/gitlab-workhorse).
+- A Gitaly client is any node that runs a process that makes requests of the Gitaly server. Gitaly clients are also known as _Gitaly consumers_ and include:
+  - [GitLab Rails application](https://gitlab.com/gitlab-org/gitlab)
+  - [GitLab Shell](https://gitlab.com/gitlab-org/gitlab-shell)
+  - [GitLab Workhorse](https://gitlab.com/gitlab-org/gitlab-workhorse)
+  - [GitLab Elasticsearch Indexer](https://gitlab.com/gitlab-org/gitlab-elasticsearch-indexer)
 
 Gitaly manages only Git repository access for GitLab. Other types of GitLab data aren't accessed
 using Gitaly.
diff --git a/doc/ci/yaml/index.md b/doc/ci/yaml/index.md
index 39a1d9b035e1..67b2144c160c 100644
--- a/doc/ci/yaml/index.md
+++ b/doc/ci/yaml/index.md
@@ -3342,56 +3342,38 @@ to select a specific site profile and scanner profile.
 
 > [Introduced](https://gitlab.com/gitlab-org/gitlab-runner/-/issues/3515) in GitLab 11.5, you can control which failures to retry on.
 
-Use `retry` to configure how many times a job is retried in
-case of a failure.
+Use `retry` to configure how many times a job is retried if it fails.
+If not defined, defaults to `0` and jobs do not retry.
 
-When a job fails, the job is processed again,
-until the limit specified by the `retry` keyword is reached.
+When a job fails, the job is processed up to two more times, until it succeeds or
+reaches the maximum number of retries.
 
-If `retry` is set to `2`, and a job succeeds in a second run (first retry), it is not retried.
-The `retry` value must be a positive integer, from `0` to `2`
-(two retries maximum, three runs in total).
+By default, all failure types cause the job to be retried. Use [`retry:when`](#retrywhen)
+to select which failures to retry on.
 
-The following example retries all failure cases:
-
-```yaml
-test:
-  script: rspec
-  retry: 2
-```
-
-By default, a job is retried on all failure cases. To have better control
-over which failures to retry, `retry` can be a hash with the following keys:
+**Keyword type**: Job keyword. You can use it only as part of a job or in the
+[`default:` section](#custom-default-keyword-values).
 
-- `max`: The maximum number of retries.
-- `when`: The failure cases to retry.
+**Possible inputs**: `0` (default), `1`, or `2`.
 
-To retry only runner system failures at maximum two times:
+**Example of `retry`**:
 
 ```yaml
 test:
   script: rspec
-  retry:
-    max: 2
-    when: runner_system_failure
+  retry: 2
 ```
 
-If there is another failure, other than a runner system failure, the job
-is not retried.
+#### `retry:when`
 
-To retry on multiple failure cases, `when` can also be an array of failures:
+Use `retry:when` with `retry:max` to retry jobs for only specific failure cases.
+`retry:max` is the maximum number of retries, like [`retry`](#retry), and can be
+`0`, `1`, or `2`.
 
-```yaml
-test:
-  script: rspec
-  retry:
-    max: 2
-    when:
-      - runner_system_failure
-      - stuck_or_timeout_failure
-```
+**Keyword type**: Job keyword. You can use it only as part of a job or in the
+[`default:` section](#custom-default-keyword-values).
 
-Possible values for `when` are:
+**Possible inputs**: A single failure type, or an array of one or more failure types:
 
 <!--
   If you change any of the values below, make sure to update the `RETRY_WHEN_IN_DOCUMENTATION`
@@ -3415,7 +3397,34 @@ Possible values for `when` are:
 - `scheduler_failure`: Retry if the scheduler failed to assign the job to a runner.
 - `data_integrity_failure`: Retry if there is a structural integrity problem detected.
 
-You can specify the number of [retry attempts for certain stages of job execution](../runners/configure_runners.md#job-stages-attempts) using variables.
+**Example of `retry:when`** (single failure type):
+
+```yaml
+test:
+  script: rspec
+  retry:
+    max: 2
+    when: runner_system_failure
+```
+
+If there is a failure other than a runner system failure, the job is not retried.
+
+**Example of `retry:when`** (array of failure types):
+
+```yaml
+test:
+  script: rspec
+  retry:
+    max: 2
+    when:
+      - runner_system_failure
+      - stuck_or_timeout_failure
+```
+
+**Related topics**:
+
+You can specify the number of [retry attempts for certain stages of job execution](../runners/configure_runners.md#job-stages-attempts)
+using variables.
 
 ### `timeout`
 
diff --git a/doc/development/documentation/feature_flags.md b/doc/development/documentation/feature_flags.md
index 5a4d365ed20e..c169af1958e8 100644
--- a/doc/development/documentation/feature_flags.md
+++ b/doc/development/documentation/feature_flags.md
@@ -37,14 +37,14 @@ FLAG:
 
 | If the feature is...     | Use this text |
 |--------------------------|---------------|
-| Available                | `On self-managed GitLab, by default this feature is available. To hide the feature, ask an administrator to [disable the <flag name> flag](<path to>/administration/feature_flags.md).` |
-| Unavailable              | `On self-managed GitLab, by default this feature is not available. To make it available, ask an administrator to [enable the <flag name> flag](<path to>/administration/feature_flags.md).` |
-| Available, per-group     | `On self-managed GitLab, by default this feature is available. To hide the feature per group, ask an administrator to [disable the <flag name> flag](<path to>/administration/feature_flags.md).` |
-| Unavailable, per-group   | `On self-managed GitLab, by default this feature is not available. To make it available per group, ask an administrator to [enable the <flag name> flag](<path to>/administration/feature_flags.md).` |
-| Available, per-project   | `On self-managed GitLab, by default this feature is available. To hide the feature per project or for your entire instance, ask an administrator to [disable the <flag name> flag](<path to>/administration/feature_flags.md).` |
-| Unavailable, per-project | `On self-managed GitLab, by default this feature is not available. To make it available per project or for your entire instance, ask an administrator to [enable the <flag name> flag](<path to>/administration/feature_flags.md).` |
-| Available, per-user      | `On self-managed GitLab, by default this feature is available. To hide the feature per user, ask an administrator to [disable the <flag name> flag](<path to>/administration/feature_flags.md).` |
-| Unavailable, per-user    | `On self-managed GitLab, by default this feature is not available. To make it available per user, ask an administrator to [enable the <flag name> flag](<path to>/administration/feature_flags.md).` |
+| Available                | `On self-managed GitLab, by default this feature is available. To hide the feature, ask an administrator to [disable the feature flag](<path to>/administration/feature_flags.md) named <flag name>.` |
+| Unavailable              | `On self-managed GitLab, by default this feature is not available. To make it available, ask an administrator to [enable the feature flag](<path to>/administration/feature_flags.md) named <flag name>.` |
+| Available, per-group     | `On self-managed GitLab, by default this feature is available. To hide the feature per group, ask an administrator to [disable the feature flag](<path to>/administration/feature_flags.md) named <flag name>.` |
+| Unavailable, per-group   | `On self-managed GitLab, by default this feature is not available. To make it available per group, ask an administrator to [enable the feature flag](<path to>/administration/feature_flags.md) named <flag name>.` |
+| Available, per-project   | `On self-managed GitLab, by default this feature is available. To hide the feature per project or for your entire instance, ask an administrator to [disable the feature flag](<path to>/administration/feature_flags.md) named <flag name>.` |
+| Unavailable, per-project | `On self-managed GitLab, by default this feature is not available. To make it available per project or for your entire instance, ask an administrator to [enable the feature flag](<path to>/administration/feature_flags.md) named <flag name>.` |
+| Available, per-user      | `On self-managed GitLab, by default this feature is available. To hide the feature per user, ask an administrator to [disable the feature flag](<path to>/administration/feature_flags.md) named <flag name>.` |
+| Unavailable, per-user    | `On self-managed GitLab, by default this feature is not available. To make it available per user, ask an administrator to [enable the feature flag](<path to>/administration/feature_flags.md) named <flag name>.` |
 
 ### GitLab.com availability information
 
@@ -67,7 +67,7 @@ When the state of a flag changes (for example, disabled by default to enabled by
 Possible version history entries are:
 
 ```markdown
-> - [Introduced](issue-link) in GitLab X.X. [Deployed behind the <flag name> flag](../../administration/feature_flags.md), disabled by default.
+> - [Introduced](issue-link) in GitLab X.X [with a flag](../../administration/feature_flags.md) named <flag name>. Disabled by default.
 > - [Enabled on GitLab.com](issue-link) in GitLab X.X.
 > - [Enabled on GitLab.com](issue-link) in GitLab X.X. Available to GitLab.com administrators only.
 > - [Enabled on self-managed](issue-link) in GitLab X.X.
@@ -80,31 +80,31 @@ Possible version history entries are:
 The following examples show the progression of a feature flag.
 
 ```markdown
-> Introduced in GitLab 13.7. [Deployed behind the `forti_token_cloud` flag](../../administration/feature_flags.md), disabled by default.
+> Introduced in GitLab 13.7 [with a flag](../../administration/feature_flags.md) named `forti_token_cloud`. Disabled by default.
 
 FLAG:
 On self-managed GitLab, by default this feature is not available. To make it available,
-ask an administrator to [enable the `forti_token_cloud` flag](../administration/feature_flags.md).`
+ask an administrator to [enable the featured flag](../administration/feature_flags.md) named `forti_token_cloud`.
 The feature is not ready for production use.
 ```
 
 When the feature is enabled in production, you can update the version history:
 
 ```markdown
-> - Introduced in GitLab 13.7. [Deployed behind the `forti_token_cloud` flag](../../administration/feature_flags.md), disabled by default.
+> - Introduced in GitLab 13.7 [with a flag](../../administration/feature_flags.md) named `forti_token_cloud`. Disabled by default.
 > - [Enabled on self-managed](https://gitlab.com/issue/etc) GitLab 13.8.
 
 FLAG:
 On self-managed GitLab, by default this feature is available. To hide the feature per user,
-ask an administrator to [disable the `forti_token_cloud` flag](../administration/feature_flags.md).
+ask an administrator to [disable the feature flag](../administration/feature_flags.md) named `forti_token_cloud`.
 ```
 
 And, when the feature is done and fully available to all users:
 
 ```markdown
-> - Introduced in GitLab 13.7. [Deployed behind the `forti_token_cloud` flag](../../administration/feature_flags.md), disabled by default.
+> - Introduced in GitLab 13.7 [with a flag](../../administration/feature_flags.md) named `forti_token_cloud`. Disabled by default.
 > - [Enabled on self-managed](https://gitlab.com/issue/etc) GitLab 13.8.
 > - [Enabled on GitLab.com](https://gitlab.com/issue/etc) in GitLab 13.9.
-> - [Feature flag `forti_token_cloud`](https://gitlab.com/issue/etc) removed in GitLab 14.0.
+> - [Feature flag removed](https://gitlab.com/issue/etc) in GitLab 14.0.
 > - [Generally available](issue-link) in GitLab 14.0.
 ```
diff --git a/doc/development/service_ping/implement.md b/doc/development/service_ping/implement.md
index d9e5e0cda90c..5c7c2e14359b 100644
--- a/doc/development/service_ping/implement.md
+++ b/doc/development/service_ping/implement.md
@@ -1031,9 +1031,9 @@ Example metrics persistence:
 class UsageData
   def count_secure_pipelines(time_period)
     ...
-    relation = ::Security::Scan.latest_successful_by_build.by_scan_types(scan_type).where(security_scans: time_period)
+    relation = ::Security::Scan.by_scan_types(scan_type).where(time_period)
 
-    pipelines_with_secure_jobs['dependency_scanning_pipeline'] = estimate_batch_distinct_count(relation, :commit_id, batch_size: 1000, start: start_id, finish: finish_id) do |result|
+    pipelines_with_secure_jobs['dependency_scanning_pipeline'] = estimate_batch_distinct_count(relation, :pipeline_id, batch_size: 1000, start: start_id, finish: finish_id) do |result|
       ::Gitlab::Usage::Metrics::Aggregates::Sources::PostgresHll
         .save_aggregated_metrics(metric_name: 'dependency_scanning_pipeline', recorded_at_timestamp: recorded_at, time_period: time_period, data: result)
     end
diff --git a/doc/index.md b/doc/index.md
index 9c96c966aee3..a638647e3e33 100644
--- a/doc/index.md
+++ b/doc/index.md
@@ -40,7 +40,7 @@ Have a look at some of our most popular topics:
 |:-------------------------------------------------------------------------------------------|:------------|
 | [Two-factor authentication](user/profile/account/two_factor_authentication.md)             | Improve the security of your GitLab account. |
 | [GitLab groups](user/group/index.md)                                                       | Manage projects together. |
-| [GitLab CI/CD pipeline configuration reference](ci/yaml/index.md)                         | Available configuration options for `.gitlab-ci.yml` files. |
+| [Keyword reference for the `.gitlab-ci.yml` file](ci/yaml/index.md)                        | Available configuration options for `.gitlab-ci.yml` files. |
 | [Activate GitLab EE with a license](user/admin_area/license.md)                            | Activate GitLab Enterprise Edition functionality with a license. |
 | [Back up and restore GitLab](raketasks/backup_restore.md)                                  | Rake tasks for backing up and restoring GitLab self-managed instances. |
 | [GitLab release and maintenance policy](policy/maintenance.md)                             | Policies for version naming and cadence, and also upgrade recommendations. |
diff --git a/doc/user/application_security/cve_id_request.md b/doc/user/application_security/cve_id_request.md
index 1489b250e4b9..5ffd47527c53 100644
--- a/doc/user/application_security/cve_id_request.md
+++ b/doc/user/application_security/cve_id_request.md
@@ -5,65 +5,64 @@ group: Threat Insights
 info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
 ---
 
-# CVE ID Requests **(FREE SAAS)**
+# CVE ID request **(FREE SAAS)**
 
 > [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/41203) in GitLab 13.4, only for public projects on GitLab.com.
 
-As part of [our role as a CVE Numbering Authority](https://about.gitlab.com/security/cve/)
-([CNA](https://cve.mitre.org/cve/cna.html)), you may request
-[CVE](https://cve.mitre.org/index.html) identifiers from GitLab to track
-vulnerabilities found within your project.
+A [CVE](https://cve.mitre.org/index.html) identifier is assigned to a publicly-disclosed software
+vulnerability. GitLab is a [CVE Numbering Authority](https://about.gitlab.com/security/cve/)
+([CNA](https://cve.mitre.org/cve/cna.html)). For any public project you can request
+a CVE identifier (ID).
 
-## Overview
+Assigning a CVE ID to a vulnerability in your project helps your users stay secure and informed. For
+example, [dependency scanning tools](../application_security/dependency_scanning/index.md) can
+detect when vulnerable versions of your project are used as a dependency.
 
-CVE identifiers track specific vulnerabilities within projects. Having a CVE assigned to a
-vulnerability in your project helps your users stay secure and informed. For example,
-[dependency scanning tools](../application_security/dependency_scanning/index.md)
-can detect when vulnerable versions of your project are used as a dependency.
+A common vulnerability workflow is:
 
-## Conditions
+1. Request a CVE for a vulnerability.
+1. Reference the assigned CVE identifier in release notes.
+1. Publish the vulnerability's details after the fix is released.
 
-If the following conditions are met, a **Request CVE ID** button appears in your issue sidebar:
+## Prerequisites
 
-- The project is hosted in GitLab.com.
+To [submit a CVE ID Request](#submit-a-cve-id-request) the following prerequisites must be met:
+
+- The project is hosted on GitLab.com.
 - The project is public.
 - You are a maintainer of the project.
-- The issue is [confidential](../project/issues/confidential_issues.md).
-
-## Submitting a CVE ID Request
-
-Clicking the **Request CVE ID** button in the issue sidebar takes you to the new issue page for
-the [GitLab CVE project](https://gitlab.com/gitlab-org/cves).
+- The vulnerability's issue is [confidential](../project/issues/confidential_issues.md).
 
-![CVE ID request button](img/cve_id_request_button.png)
+## Submit a CVE ID request
 
-Creating the [confidential issue](../project/issues/confidential_issues.md) starts the CVE request process.
+To submit a CVE ID request:
 
-![New CVE ID request issue](img/new_cve_request_issue.png)
+1. Go to the vulnerability's issue and select **Create CVE ID Request**. The new issue page of
+   the [GitLab CVE project](https://gitlab.com/gitlab-org/cves) opens.
 
-You are required to fill in the issue description, which includes:
+   ![CVE ID request button](img/cve_id_request_button.png)
 
-- A description of the vulnerability
-- The project's vendor and name
-- Impacted versions
-- Fixed versions
-- The vulnerability type (a [CWE](https://cwe.mitre.org/data/index.html) identifier)
-- A [CVSS v3 vector](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator)
+1. In the **Title** box, enter a brief description of the vulnerability.
 
-## CVE Assignment
+1. In the **Description** box, enter the following details:
 
-GitLab triages your submitted CVE ID request and communicates with you throughout the CVE validation
-and assignment process.
+   - A detailed description of the vulnerability
+   - The project's vendor and name
+   - Impacted versions
+   - Fixed versions
+   - The vulnerability class (a [CWE](https://cwe.mitre.org/data/index.html) identifier)
+   - A [CVSS v3 vector](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator)
 
-![CVE ID request communication](img/cve_request_communication.png)
+   ![New CVE ID request issue](img/new_cve_request_issue.png)
 
-Once a CVE identifier is assigned, you may use and reference it as you see fit.
+GitLab updates your CVE ID request issue when:
 
-Details of the vulnerability submitted in the CVE ID request are published according to your
-schedule. It's common to request a CVE for an unpatched vulnerability, reference the assigned CVE
-identifier in release notes, and later publish the vulnerability's details after the fix is
-released.
+- Your submission is assigned a CVE.
+- Your CVE is published.
+- MITRE is notified that your CVE is published.
+- MITRE has added your CVE in the NVD feed.
 
-Separate communications notify you when different stages of the publication process are complete.
+## CVE assignment
 
-![CVE ID request publication communication](img/cve_request_communication_publication.png)
+After a CVE identifier is assigned, you can reference it as required. Details of the vulnerability
+submitted in the CVE ID request are published according to your schedule.
diff --git a/doc/user/application_security/img/cve_request_communication.png b/doc/user/application_security/img/cve_request_communication.png
deleted file mode 100644
index 5c58df463efb..000000000000
Binary files a/doc/user/application_security/img/cve_request_communication.png and /dev/null differ
diff --git a/doc/user/application_security/img/cve_request_communication_publication.png b/doc/user/application_security/img/cve_request_communication_publication.png
deleted file mode 100644
index 9eb6f2f8d9fb..000000000000
Binary files a/doc/user/application_security/img/cve_request_communication_publication.png and /dev/null differ
diff --git a/doc/user/application_security/img/new_cve_request_issue.png b/doc/user/application_security/img/new_cve_request_issue.png
index 6ea7ca4a2abf..5f9deeb7bd91 100644
Binary files a/doc/user/application_security/img/new_cve_request_issue.png and b/doc/user/application_security/img/new_cve_request_issue.png differ
diff --git a/doc/user/group/saml_sso/index.md b/doc/user/group/saml_sso/index.md
index 0b69e609437e..ded3b48188a4 100644
--- a/doc/user/group/saml_sso/index.md
+++ b/doc/user/group/saml_sso/index.md
@@ -110,7 +110,7 @@ However, users are not prompted to sign in through SSO on each visit. GitLab che
 has authenticated through SSO. If it's been more than 1 day since the last sign-in, GitLab
 prompts the user to sign in again through SSO.
 
-We intend to add a similar SSO requirement for [API activity](https://gitlab.com/gitlab-org/gitlab/-/issues/9152).
+We intend to add a similar SSO requirement for [API activity](https://gitlab.com/gitlab-org/gitlab/-/issues/297389).
 
 SSO has the following effects when enabled:
 
diff --git a/doc/user/profile/account/two_factor_authentication.md b/doc/user/profile/account/two_factor_authentication.md
index 44537707db6b..e3f63ba07485 100644
--- a/doc/user/profile/account/two_factor_authentication.md
+++ b/doc/user/profile/account/two_factor_authentication.md
@@ -35,7 +35,8 @@ still access your account if you lose your U2F / WebAuthn device.
 
 ## Enabling 2FA
 
-> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/35102) in GitLab 14.3, account email confirmation required.
+> - Account email confirmation requirement [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/35102) in GitLab 14.3. [Deployed behind the `ensure_verified_primary_email_for_2fa` flag](../../../administration/feature_flags.md), enabled by default.
+> - Account email confirmation requirement generally available and [feature flag `ensure_verified_primary_email_for_2fa` removed](https://gitlab.com/gitlab-org/gitlab/-/issues/340151) in GitLab 14.4.
 
 There are multiple ways to enable two-factor authentication (2FA):
 
@@ -44,11 +45,6 @@ There are multiple ways to enable two-factor authentication (2FA):
 
 In GitLab 14.3 and later, your account email must be confirmed to enable two-factor authentication.
 
-FLAG:
-On self-managed GitLab, account email confirmation requirement is enabled. To disable this
-restriction, ask an administrator to
-[disable the `ensure_verified_primary_email_for_2fa` flag](../../../administration/feature_flags.md).
-
 ### One-time password
 
 To enable 2FA:
diff --git a/doc/user/project/merge_requests/reviews/suggestions.md b/doc/user/project/merge_requests/reviews/suggestions.md
index 4027ec08234c..ac1cd57fb99c 100644
--- a/doc/user/project/merge_requests/reviews/suggestions.md
+++ b/doc/user/project/merge_requests/reviews/suggestions.md
@@ -33,9 +33,8 @@ which generates a commit in the merge request authored by the user that suggeste
 
    ![Apply suggestions](img/apply_suggestion_v13_9.png)
 
-1. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/25381) in GitLab 13.9,
-   you can opt to add a custom commit message to describe your change. If you don't
-   specify it, the default commit message is used. It is not supported for [batch suggestions](#batch-suggestions).
+1. Optionally specify a custom commit message for individual suggestions (GitLab 13.9 and later) to
+   describe your change. If you don't specify it, the default commit message is used.
 
    ![Custom commit](img/custom_commit_v13_9.png)
 
@@ -118,6 +117,7 @@ introduced by [#25381](https://gitlab.com/gitlab-org/gitlab/-/issues/25381).
 > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/25486) in GitLab 13.1 as an [alpha feature](https://about.gitlab.com/handbook/product/gitlab-the-product/#alpha) behind a feature flag, disabled by default.
 > - [Enabled by default](https://gitlab.com/gitlab-org/gitlab/-/issues/227799) in GitLab 13.2.
 > - [Feature flag removed](https://gitlab.com/gitlab-org/gitlab/-/issues/320755) in GitLab 13.11.
+> - Custom commit messages for batch suggestions [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/326168) in GitLab 14.4.
 
 You can apply multiple suggestions at once to reduce the number of commits added
 to your branch to address your reviewers' requests.
@@ -134,7 +134,10 @@ to your branch to address your reviewers' requests.
 
    ![A code change suggestion displayed, with the button to remove that suggestion from its batch highlighted.](img/remove_suggestion_from_batch_v13_1.jpg "Remove a suggestion from a batch")
 
-1. Having added all the suggestions to your liking, when ready, select **Apply suggestions**:
+1. Having added all the suggestions to your liking, when ready, select **Apply suggestions**. You
+   can optionally specify a custom commit message for [batch suggestions](#batch-suggestions)
+   (GitLab 14.4 and later) to describe your change. If you don't specify it, the default commit
+   message is used.
 
    ![A code change suggestion displayed, with the button to apply the batch of suggestions highlighted.](img/apply_batch_of_suggestions_v13_1.jpg "Apply a batch of suggestions")
 
diff --git a/spec/controllers/profiles/two_factor_auths_controller_spec.rb b/spec/controllers/profiles/two_factor_auths_controller_spec.rb
index a0e2cf671afb..0af04e589036 100644
--- a/spec/controllers/profiles/two_factor_auths_controller_spec.rb
+++ b/spec/controllers/profiles/two_factor_auths_controller_spec.rb
@@ -27,12 +27,6 @@
       expect(flash[:notice])
         .to eq _('You need to verify your primary email first before enabling Two-Factor Authentication.')
     end
-
-    it 'does not redirect when the `ensure_verified_primary_email_for_2fa` feature flag is disabled' do
-      stub_feature_flags(ensure_verified_primary_email_for_2fa: false)
-
-      expect(response).not_to redirect_to(profile_emails_path)
-    end
   end
 
   shared_examples 'user must enter a valid current password' do
diff --git a/spec/services/ci/stuck_builds/drop_running_service_spec.rb b/spec/services/ci/stuck_builds/drop_running_service_spec.rb
index 2b3affa2ef0e..c1c92c2b8e23 100644
--- a/spec/services/ci/stuck_builds/drop_running_service_spec.rb
+++ b/spec/services/ci/stuck_builds/drop_running_service_spec.rb
@@ -22,7 +22,7 @@
         let(:created_at) { outdated_time }
         let(:updated_at) { outdated_time }
 
-        it_behaves_like 'job is dropped'
+        it_behaves_like 'job is dropped with failure reason', 'stuck_or_timeout_failure'
       end
 
       context 'when job is fresh' do
diff --git a/spec/services/ci/stuck_builds/drop_scheduled_service_spec.rb b/spec/services/ci/stuck_builds/drop_scheduled_service_spec.rb
new file mode 100644
index 000000000000..1416fab3d250
--- /dev/null
+++ b/spec/services/ci/stuck_builds/drop_scheduled_service_spec.rb
@@ -0,0 +1,53 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Ci::StuckBuilds::DropScheduledService do
+  let_it_be(:runner) { create :ci_runner }
+
+  let!(:job) { create :ci_build, :scheduled, scheduled_at: scheduled_at, runner: runner }
+
+  subject(:service) { described_class.new }
+
+  context 'when job is scheduled' do
+    context 'for more than an hour ago' do
+      let(:scheduled_at) { 2.hours.ago }
+
+      it_behaves_like 'job is dropped with failure reason', 'stale_schedule'
+    end
+
+    context 'for less than 1 hour ago' do
+      let(:scheduled_at) { 30.minutes.ago }
+
+      it_behaves_like 'job is unchanged'
+    end
+  end
+
+  %w(success skipped failed canceled running pending).each do |status|
+    context "when job is #{status}" do
+      before do
+        job.update!(status: status)
+      end
+
+      context 'and scheduled for more than an hour ago' do
+        let(:scheduled_at) { 2.hours.ago }
+
+        it_behaves_like 'job is unchanged'
+      end
+
+      context 'and scheduled for less than 1 hour ago' do
+        let(:scheduled_at) { 30.minutes.ago }
+
+        it_behaves_like 'job is unchanged'
+      end
+    end
+  end
+
+  context 'when there are no stale scheduled builds' do
+    let(:job) { }
+
+    it 'does not drop the stale scheduled build yet' do
+      expect { service.execute }.not_to raise_error
+    end
+  end
+end
diff --git a/spec/services/ci/stuck_builds/drop_service_spec.rb b/spec/services/ci/stuck_builds/drop_service_spec.rb
index 4aca19ae7b91..d57fbbe895a0 100644
--- a/spec/services/ci/stuck_builds/drop_service_spec.rb
+++ b/spec/services/ci/stuck_builds/drop_service_spec.rb
@@ -33,13 +33,13 @@
         context 'when created_at is the same as updated_at' do
           let(:created_at) { 1.5.days.ago }
 
-          it_behaves_like 'job is dropped'
+          it_behaves_like 'job is dropped with failure reason', 'stuck_or_timeout_failure'
         end
 
         context 'when created_at is before updated_at' do
           let(:created_at) { 3.days.ago }
 
-          it_behaves_like 'job is dropped'
+          it_behaves_like 'job is dropped with failure reason', 'stuck_or_timeout_failure'
         end
 
         context 'when created_at is outside lookback window' do
@@ -107,13 +107,13 @@
         context 'when created_at is the same as updated_at' do
           let(:created_at) { 1.5.hours.ago }
 
-          it_behaves_like 'job is dropped'
+          it_behaves_like 'job is dropped with failure reason', 'stuck_or_timeout_failure'
         end
 
         context 'when created_at is before updated_at' do
           let(:created_at) { 3.days.ago }
 
-          it_behaves_like 'job is dropped'
+          it_behaves_like 'job is dropped with failure reason', 'stuck_or_timeout_failure'
         end
 
         context 'when created_at is outside lookback window' do
@@ -198,45 +198,4 @@
 
     it_behaves_like 'job is unchanged'
   end
-
-  describe 'drop stale scheduled builds' do
-    let(:status) { 'scheduled' }
-    let(:updated_at) { }
-
-    context 'when scheduled at 2 hours ago but it is not executed yet' do
-      let!(:job) { create(:ci_build, :scheduled, scheduled_at: 2.hours.ago) }
-
-      it 'drops the stale scheduled build' do
-        expect(Ci::Build.scheduled.count).to eq(1)
-        expect(job).to be_scheduled
-
-        service.execute
-        job.reload
-
-        expect(Ci::Build.scheduled.count).to eq(0)
-        expect(job).to be_failed
-        expect(job).to be_stale_schedule
-      end
-    end
-
-    context 'when scheduled at 30 minutes ago but it is not executed yet' do
-      let!(:job) { create(:ci_build, :scheduled, scheduled_at: 30.minutes.ago) }
-
-      it 'does not drop the stale scheduled build yet' do
-        expect(Ci::Build.scheduled.count).to eq(1)
-        expect(job).to be_scheduled
-
-        service.execute
-
-        expect(Ci::Build.scheduled.count).to eq(1)
-        expect(job).to be_scheduled
-      end
-    end
-
-    context 'when there are no stale scheduled builds' do
-      it 'does not drop the stale scheduled build yet' do
-        expect { service.execute }.not_to raise_error
-      end
-    end
-  end
 end
diff --git a/spec/support/shared_examples/ci/stuck_builds_shared_examples.rb b/spec/support/shared_examples/ci/stuck_builds_shared_examples.rb
index 2f26dac46e2c..4fcea18393c6 100644
--- a/spec/support/shared_examples/ci/stuck_builds_shared_examples.rb
+++ b/spec/support/shared_examples/ci/stuck_builds_shared_examples.rb
@@ -1,12 +1,12 @@
 # frozen_string_literal: true
 
-RSpec.shared_examples 'job is dropped' do
+RSpec.shared_examples 'job is dropped with failure reason' do |failure_reason|
   it 'changes status' do
     service.execute
     job.reload
 
     expect(job).to be_failed
-    expect(job).to be_stuck_or_timeout_failure
+    expect(job.failure_reason).to eq(failure_reason)
   end
 
   context 'when job has data integrity problem' do
@@ -23,16 +23,13 @@
       job.reload
 
       expect(job).to be_failed
-      expect(job).to be_data_integrity_failure
+      expect(job.failure_reason).to eq('data_integrity_failure')
     end
   end
 end
 
 RSpec.shared_examples 'job is unchanged' do
   it 'does not change status' do
-    service.execute
-    job.reload
-
-    expect(job.status).to eq(status)
+    expect { service.execute }.not_to change(job, :status)
   end
 end
diff --git a/spec/workers/ci/stuck_builds/drop_scheduled_worker_spec.rb b/spec/workers/ci/stuck_builds/drop_scheduled_worker_spec.rb
new file mode 100644
index 000000000000..57be799d8901
--- /dev/null
+++ b/spec/workers/ci/stuck_builds/drop_scheduled_worker_spec.rb
@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Ci::StuckBuilds::DropScheduledWorker do
+  include ExclusiveLeaseHelpers
+
+  let(:worker)     { described_class.new }
+  let(:lease_uuid) { SecureRandom.uuid }
+
+  describe '#perform' do
+    subject { worker.perform }
+
+    it_behaves_like 'an idempotent worker'
+
+    it 'executes an instance of Ci::StuckBuilds::DropScheduledService with an exclusive lease' do
+      expect_to_obtain_exclusive_lease(worker.lease_key, lease_uuid)
+
+      expect_next_instance_of(Ci::StuckBuilds::DropScheduledService) do |service|
+        expect(service).to receive(:execute).exactly(:once)
+      end
+
+      expect_to_cancel_exclusive_lease(worker.lease_key, lease_uuid)
+
+      subject
+    end
+  end
+end
diff --git a/spec/workers/stuck_ci_jobs_worker_spec.rb b/spec/workers/stuck_ci_jobs_worker_spec.rb
index 8aed945cf449..1eee3535f713 100644
--- a/spec/workers/stuck_ci_jobs_worker_spec.rb
+++ b/spec/workers/stuck_ci_jobs_worker_spec.rb
@@ -22,6 +22,12 @@
       worker.perform
     end
 
+    it 'enqueues a Ci::StuckBuilds::DropScheduledWorker job' do
+      expect(Ci::StuckBuilds::DropScheduledWorker).to receive(:perform_in).with(40.minutes).exactly(:once)
+
+      worker.perform
+    end
+
     it 'executes an instance of Ci::StuckBuilds::DropService' do
       expect_next_instance_of(Ci::StuckBuilds::DropService) do |service|
         expect(service).to receive(:execute).exactly(:once)