I checked the remaining patches in the 2.x branch, and determined that we could release a minor 2.0.1 version including:
# [[https://gerrit.wikimedia.org/r/#/c/mediawiki/tools/phan/SecurityCheckPlugin/+/507854/|r507854]] - code cleanup
# [[https://gerrit.wikimedia.org/r/#/c/mediawiki/tools/phan/SecurityCheckPlugin/+/507934/|r507934]] - code cleanup
# [[https://gerrit.wikimedia.org/r/#/c/mediawiki/tools/phan/SecurityCheckPlugin/+/507952/|r507952]] - code cleanup
# [[https://gerrit.wikimedia.org/r/#/c/mediawiki/tools/phan/SecurityCheckPlugin/+/507962/|r507962]] - handles ++ and --, pretty easy
# [[https://gerrit.wikimedia.org/r/#/c/mediawiki/tools/phan/SecurityCheckPlugin/+/521546/|r521546]] - unbreaks taint-check for extensions
# [[https://gerrit.wikimedia.org/r/#/c/mediawiki/tools/phan/SecurityCheckPlugin/+/521500/|r521500]] - unbreaks CI
and a couple of changes that I had to self-merge to unbreak the master:
# [[https://gerrit.wikimedia.org/r/#/c/mediawiki/tools/phan/SecurityCheckPlugin/+/521032/|r521032]] - Duplicate method created by git when merging 2.x in master (actually, that problem didn't affect the 2.0.0 release)
# [[https://gerrit.wikimedia.org/r/#/c/mediawiki/tools/phan/SecurityCheckPlugin/+/521033/|r521033]] and [[https://gerrit.wikimedia.org/r/#/c/mediawiki/tools/phan/SecurityCheckPlugin/+/521033/|r521035]] - Fixing an integration test
I find all of the above to be minor changes, with no real risks. So IMHO we can put them in a 2.0.1 version and start using it for our codebases.
Note that the patch above already have CR+2, though I'd like to delay merging them until we'll have CI back working.