Merge latest upstream updates from 2.10 branch

Merge in all updates up to 2.10.21.

This MR also updates some Gems extremely conservatively, mostly those related to OmniAuth. A separate task should be created for a more complete update, including updating to a newer OmniAuth version (which can break things).

Unlike the upstream, we don’t want to rely on Gems checked into Git, as we extend their set of dependencies, and it’s tricky to tell Bundler to download extra dependencies and not just fail. To make sure Gems aren’t vendored, add an extra sanity check stage.