I know the claims, but look at Gitea version v1.24.7 (with some security fixes), released on October 25th, which includes 'fix LFS auth bypass, fix symlink bypass' that was merged on October 20th (#35708). This was fixed in Forgejo on the 25th https://codeberg.org/forgejo/forgejo/commit/fa1a2ba669301238... and released on the 26th, although "Originally scheduled for 7 November, the release date of these patches was advanced because a vulnerability had been leaked publicly." (https://codeberg.org/forgejo/forgejo/src/branch/forgejo/rele...)

Security wise, Gitea was safer in this case.

Also note the SECURITY.md was deleted: https://codeberg.org/forgejo/forgejo/commit/277dd02e706b6e51..., there is a security https://forgejo.org/docs/next/contributor/discussions/#secur... but it's a bit harder to find.

The problem is, Forgejo changed the license (https://codeberg.org/forgejo/governance/pulls/24#issuecommen...) and ended up doing a hard fork (https://forgejo.org/2024-02-forking-forward/#consequences-of...) which creates quite some maintenance burden. There used to be a (weekly) gitea chery-pick (e.g. https://codeberg.org/forgejo/forgejo/pulls?state=closed&labe...) but the TODO section was getting ever larger, and it seems it stopped in July (week 26).

So they start missing stuff, e.g. features like https://codeberg.org/forgejo/forgejo/issues/9552

Re: delayed security fixes, if a vulnerability is not yet publicly known and there is no indication that it is actively abused it is common practice to schedule fixes and give advance notice of them to have administrators be prepared to update promptly. The fact that the vulnerability was leaked beforehand is unfortunate, but Forgejo handled it well with rescheduling their release in response.

Re: license change, hard forking, and new features: my understanding is that Gitea wasn't very open to contributions coming from Forgejo. The hard fork seems to be a consequence of that. Yes, there used to be weekly cherry picks, I assume they stopped exactly because Forgejo and Gitea diverged to much and they became too much of a maintenance burden. Yes, this means Gitea has gotten features that aren't present in Forgejo since then. But you miss the point of the hard fork if you count this as a negative: Forgejo is deliberately diverging from Gitea now. Cooperation didn't work out, so they are no longer a superset of Gitea, but an entirely separate project. And as such they don't have more maintenance burden than Gitea itself.

And Forgejo definitely does not lack development power as its own now-independent project. They have features themselves that Gitea doesn't have. One notable that comes to mind is storage quotas, but there are many more too.