GitLab Dependency Scanning (Gemnasium) pricing

GitLab Dependency Scanning (Gemnasium)

Since Gemnasium got eaten by GitLab I’m waiting for dependency scanning to move down the Tier list.

We have one project (with 3 users) that was formerly protected by Gemnasium but now it’s frankly just ridiculous.

In order to get Gemnasium (or dependency scanning) back we would have to spent >40k€ on this which was formerly 600$ with no per-user restriction. I do see that there was a project limit but I mean common.

What are we expected to do? Host a second GitLab instance with one user that just mirrors our one project as to only need to pay twice as much as before? Is that even legal? Move to a competitor or don’t have dependency scanning? Cheat the system by publicly uploading only the lock files?

What to do, what to do? Certainly not spending 40 grand a year, that’s for sure (at that point we could hire a person that does this manually).