GitLab instance version disclosed publicly in pages source

The GitLab instance version is exposed publicly in any page's source. The reason is that the Help dropdown in the super sidebar surfaces the version to admin users.

Help dropdown as seen by an instance admin

While the dropdown item's rendering is properly guarded behind a show_version_check? check, the data itself is being passed to the client without performing the same check. As a result, the version number can be seen by viewing any page's source:

Viewing the page source at https://gitlab.com/explore as an anonymous user

This poses a security risk as it makes it trivial for malicious actors to find potential attack vectors that affect a specific version of GitLab. We should ensure this information is never present in the source unless the user is logged-in and has permission to see it.

Note: We first started exposing the version number in %15.9 as part of !110786 (merged). At the time, the user needed to be logged in, and the super_sidebar_nav feature flag enabled for the information to be present in the source. We later (%16.3) made it possible for anonymous users to see the version, but that then required the super_sidebar_logged_out feature flag to be enabled (!126125 (merged)). The latter feature flag was removed in %16.6 (!134890 (merged)), which is when the version number started being "leaked-by-default" for all anonymous users.