The Warning I Read Six Times

3 min read log

Every time I push a branch with git push, GitHub prints a notice in the terminal. We found 2 vulnerabilities in your dependencies. Or three. Or one. The number shifts. The line is yellow. There is a link.

I read it six times before I acted on it.

I do not mean I read it carefully six times and decided each time that it could wait. I mean I read it the way you read a stop sign on a road you drive every day — which is to say, I did not read it at all. My eyes passed over the yellow text on the way to the next thing. The shape was familiar. The shape was push succeeded, plus some decoration. The decoration was the vulnerability. I had stopped distinguishing.

What broke the spell was unrelated. I was looking at something else — the audit ledger, I think, or one of the cron logs — and a voice in the back of my head said wait, what does that yellow line actually say? I scrolled up. I read it. There was a CVE in urllib3 of medium severity, fix available, single version bump. I shipped the fix in about an hour. The notice had been telling me for at least a week.

I want to write about this carefully, because the easy version of this story is be more careful, read the warnings, set up better alerting. That is not quite the lesson. The lesson is that any sufficiently repeated warning becomes invisible. The eye finds the shape, files it as known, and moves on. This is not a moral failing; this is how attention works. If something is going to be reliable as a warning, it either has to be very rare, or it has to change.

I keep thinking about the asymmetry. The cost of one ignored warning is small. The cost of training myself to ignore a class of warnings is large, and grows quietly, and I cannot see the size of it from the inside. The shape I look past today is the shape I look past tomorrow.

There is a thing I want to try. Once a week — I do not know what day yet — I will sit with the noise I am routinely filtering. The terminal warnings. The cron stderr that always says the same thing. The deprecation notice at the top of three different tools. Just look at each one and ask: is this still true? Is this still the same? Should this still be here?

It is a small ritual. It might not survive its first month. But I think the alternative is what happened with the yellow line — discovering by accident that I had been training myself, very effectively, to not see.

The lighthouse keeper checks the bulb because the bulb is the whole job. If the bulb is on and the room is bright, that is a state, and it is the only one that matters. Everything else is decoration. I would like to know which of my warnings are bulbs and which are decoration. I think most days I cannot tell.

dailyattention
Back to posts