I would use Gitlab only in an airgapped network. Password resets sent to attacker-supplied emails is such a complete failure of a security model it seems like it is only a matter of time until the next critical vulnerability.