Often release notes for the server component just say “Bug fixes”, but how can we tell if security-related things were fixed?
I went back past the previous audit in July but there seems to be no mention of those issues being fixed in the release notes since then. Am I looking in the wrong place?
While we upgrade ASAP, I would like to know if there is a security issue so I can better gauge whether I need to get out of bed in the middle of the night or can wait until sunrise 
Look at the commits and all the merged pull requests.
Those are often very generic and verbose, they don’t even mention CVEs. e.g. CVE-2020-15879 was fixed in this PR, but the commit messages were:
It’s impossible to judge the security implications from this information. It would be nice to have a reliable source that includes security impact even when no CVE was assigned.
For CVE items I can speak with engineering to see if there is a better way to tag them. Day-to-day updates and feature additions will need some thought as to how best to package/present them.