The notification of 3.8.0 just said “There is a new version of Matomo available for update. You can update to version 3.8.0 automatically or download the package and etc etc”.
The changelog said “We are proud to announce Matomo 3.8.0: a new release of Matomo Analytics. There are a lot of improvements in Security, Performance and Usability and we’re proud to share with you our best Matomo release ever” and then went on to talk about brute force protection…
… something I was already doing via the LoginFailLog plugin combined with fail2ban on the server …
… and it’s only if I hit PgDn three times that I see that “This release is rated critical.”
I can see that this isn’t new: there’s a post in Support & Bugs complaining that the 1.8 update was, very quietly, a critical security update.
Critical security updates should have this mentioned very prominently in the notifications, not hidden away in the middle of a changelog I suspect a low proportion of users read.