Merge pull request #707 from lsst-sqre/tickets/DM-38272

DM-38272: Improve logging and error reporting
lsst-sqre · Mar 15, 2023 · 2934a80 · 2934a80
2 parents d592368 + 402e33a
commit 2934a80
Show file tree

Hide file tree

Showing 49 changed files with 1,336 additions and 1,003 deletions.
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -44,7 +44,7 @@ repos:
         additional_dependencies:
           - '@babel/[email protected]'
           - '@babel/[email protected]'
-          - eslint@8.35.0
+          - eslint@8.36.0
           - [email protected]
           - [email protected]
           - [email protected]

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -9,17 +9,22 @@ Dependencies are updated to the latest available version during each release. Th
 ### New features
 
 - Gafaelfawr now supports setting API and notebook quotas in its configuration, and calculates the quota for a given user based on their group membership. This quota information is returned by the `/auth/api/v1/user-info` route, but is not otherwise used by Gafaelfawr (yet).
+- Server-side failures during login, such as inability to reach the authentication provider or invalid responses from the authentication provider, are now reported to Slack if a Slack webhook is configured.
 
 ### Bug fixes
 
 - Explicitly disable caching of enrollment redirects. Some browsers appear to cache 307 redirects and redirected the user back to enrollment the next time they logged in.
 - Uniformly use `Cache-Control: no-cache, no-store` to disable caching of errors and redirects. Previously, Gafaelfawr also added `must-revalidate` (but not `max-age`). This appears to not be necessary or useful with modern browsers.
 - Correctly expand backtraces of uncaught exceptions in Uvicorn logs.
 - Diagnose and display a proper error if the OpenID Connect token from the authentication provider contains multiple usernames.
+- Return a status code of 500 instead of 403 for server-side errors during login.
+- Errors in querying an external source of user information, such as Firestore or LDAP, are now caught in the `/auth` route and only logged, not reported to Slack as uncaught exceptions. The `/auth` route may receive multiple requests per second and should not report every error due to a possible external outage to Slack.
+- Errors in querying an external source of user information in the `/auth/api/v1/user-info` route are now caught, reported to Slack, and result in an orderly error message instead of an uncaught exception.
 
 ### Other changes
 
 - Gafaelfawr now supports camel-case in its configuration file to allow using the same names for most configuration settings and Helm chart values.
+- More log messages related to retrieving user metadata, particularly those during initial login, now include the username of the user.
 
 ## 9.0.0 (2023-01-09)
 

diff --git a/Makefile b/Makefile
@@ -1,17 +1,26 @@
-# The dependencies need --allow-unsafe because sphinx depends on setuptools,
-# which is normally not allowed to appear in a hashed dependency file.
+# The dependencies need --allow-unsafe because kubernetes-asyncio and
+# (transitively) pre-commit depends on setuptools, which is normally not
+# allowed to appear in a hashed dependency file.
 .PHONY: update-deps
 update-deps:
 	pip install --upgrade pip-tools pip setuptools
-	pip-compile --upgrade --build-isolation --allow-unsafe --generate-hashes --output-file requirements/main.txt requirements/main.in
-	pip-compile --upgrade --build-isolation --allow-unsafe --generate-hashes --output-file requirements/dev.txt requirements/dev.in
+	pip-compile --upgrade --resolver=backtracking --build-isolation	\
+	    --allow-unsafe --generate-hashes				\
+	    --output-file requirements/main.txt requirements/main.in
+	pip-compile --upgrade --resolver=backtracking --build-isolation	\
+	    --allow-unsafe --generate-hashes				\
+	    --output-file requirements/dev.txt requirements/dev.in
 
 # Useful for testing against a Git version of Safir.
 .PHONY: update-deps-no-hashes
 update-deps-no-hashes:
 	pip install --upgrade pip-tools pip setuptools
-	pip-compile --upgrade --build-isolation --allow-unsafe --output-file requirements/main.txt requirements/main.in
-	pip-compile --upgrade --build-isolation --allow-unsafe --output-file requirements/dev.txt requirements/dev.in
+	pip-compile --upgrade --resolver=backtracking --build-isolation	\
+	    --allow-unsafe						\
+	    --output-file requirements/main.txt requirements/main.in
+	pip-compile --upgrade --resolver=backtracking --build-isolation	\
+	    --allow-unsafe						\
+	    --output-file requirements/dev.txt requirements/dev.in
 
 # npm dependencies have to be installed for pre-commit eslint to work.
 .PHONY: init

diff --git a/docs/dev/internals.rst b/docs/dev/internals.rst
@@ -20,6 +20,7 @@ Python internal API
    :include-all-objects:
 
 .. automodapi:: gafaelfawr.dependencies.context
+   :include-all-objects:
 
 .. automodapi:: gafaelfawr.dependencies.return_url
 
@@ -77,8 +78,6 @@ Python internal API
 
 .. automodapi:: gafaelfawr.services.userinfo
 
-.. automodapi:: gafaelfawr.slack
-
 .. automodapi:: gafaelfawr.storage.admin
 
 .. automodapi:: gafaelfawr.storage.base

diff --git a/requirements/dev.in b/requirements/dev.in
@@ -27,7 +27,7 @@ types-redis
 holdup
 
 # Documentation
-documenteer[guide]>=0.7.0b2
+documenteer[guide]>=0.7.0
 sphinx-click
 sphinx-diagrams
 sphinxcontrib-redoc
diff --git a/requirements/dev.txt b/requirements/dev.txt
@@ -2,7 +2,7 @@
 # This file is autogenerated by pip-compile with Python 3.11
 # by the following command:
 #
-#    pip-compile --allow-unsafe --generate-hashes --output-file=requirements/dev.txt requirements/dev.in
+#    pip-compile --allow-unsafe --generate-hashes --output-file=requirements/dev.txt --resolver=backtracking requirements/dev.in
 #
 alabaster==0.7.13 \
     --hash=sha256:1ee19aca801bbabb5ba3f5f258e4422dfa86f82f3e9cefb0859b283cdd7f62a3 \
@@ -21,9 +21,7 @@ asgi-lifespan==2.0.0 \
 async-generator==1.10 \
     --hash=sha256:01c7bf666359b4967d2cda0000cc2e4af16a0ae098cbffcb8472fb9e8ad6585b \
     --hash=sha256:6ebb3d106c12920aaae42ccb6f787ef5eefdcdd166ea3d628fa8476abe712144
-    # via
-    #   trio
-    #   trio-websocket
+    # via trio
 attrs==22.2.0 \
     --hash=sha256:29e95c7f6778868dbd49170f98f8818f78f3dc5e0e37c0b1f474e3561b240836 \
     --hash=sha256:c9227bfc2f01993c03f68db37d1d15c9690188323c067c641f1a35ca58185f99
@@ -464,9 +462,13 @@ docutils==0.19 \
     #   sphinx
     #   sphinx-click
     #   sphinxcontrib-bibtex
-filelock==3.9.0 \
-    --hash=sha256:7b319f24340b51f55a2bf7a12ac0755a9b03e718311dac567a0f4f7fabd2f5de \
-    --hash=sha256:f58d535af89bb9ad5cd4df046f741f8553a418c01a7856bf0d173bbc9f6bd16d
+exceptiongroup==1.1.1 \
+    --hash=sha256:232c37c63e4f682982c8b6459f33a8981039e5fb8756b2074364e5055c498c9e \
+    --hash=sha256:d484c3090ba2889ae2928419117447a14daf3c1231d5e30d0aae34f354f01785
+    # via trio-websocket
+filelock==3.10.0 \
+    --hash=sha256:3199fd0d3faea8b911be52b663dfccceb84c95949dd13179aa21436d1a79c4ce \
+    --hash=sha256:e90b34656470756edf8b19656785c5fea73afa1953f3e1b0d645cef11cab3182
     # via virtualenv
 fonttools==4.39.0 \
     --hash=sha256:909c104558835eac27faeb56be5a4c32694192dca123d073bf746ce9254054af \
@@ -585,9 +587,9 @@ hyperframe==6.0.1 \
     # via
     #   h2
     #   selenium-wire
-identify==2.5.19 \
-    --hash=sha256:3ee3533e7f6f5023157fbebbd5687bb4b698ce6f305259e0d24b2d7d9efb72bc \
-    --hash=sha256:4102ecd051f6884449e7359e55b38ba6cd7aafb6ef27b8e2b38495a5723ea106
+identify==2.5.20 \
+    --hash=sha256:5dfef8a745ca4f2c95f27e9db74cb4c8b6d9916383988e8791f3595868f78a33 \
+    --hash=sha256:c8b288552bc5f05a08aff09af2f58e6976bf8ac87beb38498a0e3d98ba64eb18
     # via pre-commit
 idna==3.4 \
     --hash=sha256:814f528e8dead7d329833b91c5faa87d60bf71824cd12a7530b5526063d02cb4 \
@@ -979,9 +981,9 @@ pillow==9.4.0 \
     --hash=sha256:f715c32e774a60a337b2bb8ad9839b4abf75b267a0f18806f6f4f5f1688c4b5a \
     --hash=sha256:fb5c1ad6bad98c57482236a21bf985ab0ef42bd51f7ad4e4538e89a997624e12
     # via matplotlib
-platformdirs==3.1.0 \
-    --hash=sha256:13b08a53ed71021350c9e300d4ea8668438fb0046ab3937ac9a29913a1a1350a \
-    --hash=sha256:accc3665857288317f32c7bebb5a8e482ba717b474f3fc1d18ca7f9214be0cef
+platformdirs==3.1.1 \
+    --hash=sha256:024996549ee88ec1a9aa99ff7f8fc819bb59e2c3477b410d90a16d32d6e707aa \
+    --hash=sha256:e5986afb596e4bb5bde29a79ac9061aa955b94fca2399b7aaac4090860920dd8
     # via virtualenv
 pluggy==1.0.0 \
     --hash=sha256:4224373bacce55f955a878bf9cfa763c1e360858e330072059e10bad68531159 \
@@ -1264,9 +1266,9 @@ sphinx-autodoc-typehints==1.22 \
     --hash=sha256:71fca2d5eee9b034204e4c686ab20b4d8f5eb9409396216bcae6c87c38e18ea6 \
     --hash=sha256:ef4a8b9d52de66065aa7d3adfabf5a436feb8a2eff07c2ddc31625d8807f2b69
     # via documenteer
-sphinx-automodapi==0.14.1 \
-    --hash=sha256:4238e131d7abc47226449661bb3cfa2bb1b5b190184ffa69d9b924b984a22753 \
-    --hash=sha256:a2f9c0f9e2901875e6db75df6c01412875eb15f25e7db1206e1b69fedf75bbc9
+sphinx-automodapi==0.15.0 \
+    --hash=sha256:06848f261fb127b25d35f27c2c4fddb041e76498733da064504f8077cbd27bec \
+    --hash=sha256:fd5871e054df7f3e299dde959afffa849f4d01c6eac274c366b06472afcb06aa
     # via documenteer
 sphinx-click==4.4.0 \
     --hash=sha256:2821c10a68fc9ee6ce7c92fad26540d8d8c8f45e6d7258f0e4fb7529ae8fab49 \
@@ -1326,51 +1328,49 @@ sphinxext-opengraph==0.8.1 \
     --hash=sha256:4e698b907ef9582cd0106bd50807106677fdab4dc5c31040be17c9afb6e17880 \
     --hash=sha256:64fe993d4974c65202d1c8f1c986abb559154a814a6378f9d3aaf8c7c9bd62bc
     # via documenteer
-sqlalchemy[asyncio,mypy]==2.0.5.post1 \
-    --hash=sha256:03cd5709839fc376538f102c58f632d48bd0b92715bd290c3b2c066e0dd0f214 \
-    --hash=sha256:0433abeb650c72c872e31010bff8536907fb05f6fa29a9b880046570c03383ca \
-    --hash=sha256:059ddd4ddbfb8f1c872d601b168273dfaab0eae458736c7c754187b9a8e92ad5 \
-    --hash=sha256:1012c0440108c360b94f43667525365c43516e8c7f1f7de8dfb73471181055df \
-    --hash=sha256:13eb2a5882cfd9f4eedaaec14a5603a096f0125f7c3cb48611b3bfa3c253f25d \
-    --hash=sha256:15c92107437770087ad4fece6ed9553ab97474f3b92d15eb62cea9686228f252 \
-    --hash=sha256:1edb6621782f9a3e80750ba1859580b778a424242d4e6b9bcd46fa6beca75c12 \
-    --hash=sha256:22f60d214899b573edc8aeb9ba84f7e832505511ce68974636e6da4a27c957a3 \
-    --hash=sha256:2bffc27ec0386ef4af7c8923f0f809f88671859b907c9e11f000c39b97195e99 \
-    --hash=sha256:2c3869a7bdd5bb76fb50976abe339e30cce8e9f7c778a50811d310ec82cdf51a \
-    --hash=sha256:3c4e673da09af37b7a5c13b947fdb387c3800d43dcd86c1d553e3c70369e4749 \
-    --hash=sha256:4756878d0ceb6e0e9c6cfcfaa9df81adbfcca8cc4b9ec37934918008c0f20507 \
-    --hash=sha256:50b15fce441b8eb13bfd06df1088aa52c9a3d72d4894e3456040857d48a622da \
-    --hash=sha256:56d38c3638965df5257ac4648ba2887aaf1e3409397192dd85ddfe7b96dc7680 \
-    --hash=sha256:5c00d2b3607f9ae5c0827ebb2d01020c26cfce4064aa664db21d1fd6a47f8f60 \
-    --hash=sha256:621e92ace804e19da2e472e349736d7ba5e2e4a14d41c4de9e2474e5f40a11ed \
-    --hash=sha256:68c4c5ab13997fa7af37d5780da11ddc184d4e88fb2d8a26525044c233f03bc7 \
-    --hash=sha256:6df48bb7af217fd086617aae1f9606ff91cfab9a29c3e77dd80e4bab8aaf29fc \
-    --hash=sha256:72e8d65b20147df71297d863981d8e56e429a8ae2bb835bd5e89efd7ef849866 \
-    --hash=sha256:744b01fcdfef66b7373262bf75d714a4339f85c05b74b1732749f25ed65f33f6 \
-    --hash=sha256:7e33867e09820c98630f7faec535a8cc4116fd362787404b41883d373437290b \
-    --hash=sha256:7fab3d4062472e1e6002bfcd53cc7446189941be083a5465760aa794092004ee \
-    --hash=sha256:7fe933831e17f93947b4e3db4e4a7470dae24340f269baf06cdfcc0538c8d1cb \
-    --hash=sha256:869ca02661f6d4cece5823997a364dfa97601de11151fca3ebc3429eb9ffa2e0 \
-    --hash=sha256:8e7d5766fb99743eb70126daaff45f43bee3f4b79ba6047a0749912e8538f0ff \
-    --hash=sha256:9a4d9a7e9b344bf8ce2ed699baa8a43d9fbdad3aecff259f1d0daf6bb2e7e0c0 \
-    --hash=sha256:9bb63e22ddf01cbbb290e61f31471480d2e40283e558cdd924b94dc4fc2e186b \
-    --hash=sha256:a7e55659740e768a1bf1257275b565137a3d28839789c85193dd6a1e642b3cc9 \
-    --hash=sha256:ac12d8bef707d02ef179f0586c848db2954668dca2b72c69df950e08dc8cddb4 \
-    --hash=sha256:adf597e756e27173be57f243cc17bea7af1ac74b35c0120aace2738f59c92a48 \
-    --hash=sha256:b21694c8543becc2bc4f05f8d07970860e6ad005024712b7195abb1f4e0daf47 \
-    --hash=sha256:b52be78c5e86ade646c82a10b2be4b6ed8f623052b4405b26681880df1a15d5a \
-    --hash=sha256:c12f0455f30d637644f4d6df2bda1475c61398483edb58d55c670be31a31d549 \
-    --hash=sha256:c2c41bf05b4cf4ffead35896affa3b457c17755d0fd83b1ba72f7f55abb3a3f1 \
-    --hash=sha256:d6cb241c5c1af422c0fa742bd09a8eaf158da1433617ded1ffcbb56de6ff8047 \
-    --hash=sha256:d811b97f58d99e5948752087903cb414fd77a60a5e09293be16c924219178c3b \
-    --hash=sha256:d81b2fa605939c437f8b0b8522ec2c19508f3036d6043cb70a15dd56760ab710 \
-    --hash=sha256:e13cea675937125417953fd011138f13cf979051567f48074fffb3bb0b64b917 \
-    --hash=sha256:e40c39cfcbe416a7722a226ecd98fad0e08f8ae33e8f94b0858afe094583bfbc \
-    --hash=sha256:f53542654124d30a3c3ebff9f99e5749add75e4cf28895a2ca6cd1458039bd8f \
-    --hash=sha256:ffda70373ddfe8ec733d518e4e41eb5599480d48e8496c44bb0cac0e37b281c0
-    # via
-    #   -c requirements/main.txt
-    #   -r requirements/dev.in
+sqlalchemy[mypy]==2.0.6 \
+    --hash=sha256:1df00f280fcf7628379c6838d47ac6abd2319848cb02984af313de9243994db8 \
+    --hash=sha256:1fd154847f2c77128e16757e3fd2028151aa8208dd3b9a5978918ea786a15312 \
+    --hash=sha256:20f36bff3b6c9fa94e40114fda4dc5048d40fd665390f5547b456a28e8059ee8 \
+    --hash=sha256:224c817e880359d344a462fc4dd94a233804f371aa290b024b6b976a2f5ade36 \
+    --hash=sha256:2ad44f45526411bebbf427cf858955a35f3a6bfd7db8f4314b12da4c0d1a4fd2 \
+    --hash=sha256:2c4c64f321080c83a3f0eed11cc9b73fe2a574f6b8339c402861274165c24cf6 \
+    --hash=sha256:3625a52fae744cff6f9beb6ed0775468b9eb7e6e8f6730676dfc49aa77d98b4e \
+    --hash=sha256:3be54b3825512b3de5698ae04bf4aad6ea60442ac0f6b91ee4b8fa4db5c2dccd \
+    --hash=sha256:4100c80070a66b042f1010b29b29a88d1d151c27a5e522c95ec07518b361a7a3 \
+    --hash=sha256:47e96be3e8c9c0f2c71ec87599be4bb8409d61841b66964a36b2447bec510b3b \
+    --hash=sha256:483712fce53e2f7ec95ed7d106cd463f9fc122c28a7df4aaf2bc873d0d2a901f \
+    --hash=sha256:48824b989a0e4340cd099dd4539702ddb1a5ce449f8a7355124e40a4935a95fa \
+    --hash=sha256:4d653962da384a1d99795dbd8aac4a7516071b2f2984ed2aa25545fae670b808 \
+    --hash=sha256:5b067b2eaf3d97a49f3f6217981efa7b45d5726c2142f103712b020dd250fd98 \
+    --hash=sha256:5c35175b74cbcfe9af077bd13e87cfab13239e075c0e1e920095082f9377f0ed \
+    --hash=sha256:61abff42e44e5daf17372cb8baa90e970dc647fc5f747e2caa9f9768acf17be8 \
+    --hash=sha256:6987f658389ad8bb6257db91551e7fde3e904974eef6f323856260907ef311d7 \
+    --hash=sha256:709f1ecb5dcea59f36fa0f485e09e41ff313b2d62c83a6f99b36870b0d6e42fa \
+    --hash=sha256:7635cd38e3ea8522729b14451157104fce2117c44e7ba6a14684ed153d71b567 \
+    --hash=sha256:778db814cc21eff200c8bd42b4ffe976fa3378d10fb84d2c164d3c6a30bb38ee \
+    --hash=sha256:81d4fc8f5c966677a3a2f39eb8e496442269d8c7d285b28145f7745fcc089d63 \
+    --hash=sha256:82691d3539023c3cee5ae055c47bf873728cd6b33bfaa7b916bea5a99b92f700 \
+    --hash=sha256:8ef7c56c74f4420b2c4a148d2531ba7f99b946cbf438a2bbcb2435fb4938a08d \
+    --hash=sha256:9310666251385e4374c6f0bae6d69e62bc422021298ceb8669bf6ff56957ff37 \
+    --hash=sha256:ac6274dd530b684cca8cbb774e348afac6846f15d1694a56954413be6e2e8dcd \
+    --hash=sha256:b7be0e6a4061d28b66ca4b4eb24558dd8c6386d3bcd2d6d7ef247be27cf1281b \
+    --hash=sha256:bea2c1341abe9bc6f30071b8ada1a3c44f24ec0fe1b9418e9c1112ed32057c9e \
+    --hash=sha256:bfcadfb8f0a9d26a76a5e2488cedd2e7cf8e70fe76d58aeb1c85eb83b33cbc5c \
+    --hash=sha256:bfce790746d059af6d0bc68b578ba20d50a63c71a3db16edce7aa8eccdd73796 \
+    --hash=sha256:bfde1d7cf8b9aa6bbd0d53946cd508d76db7689afd442e2289642cdc8908b7b7 \
+    --hash=sha256:c343f0b546495f5d7a239c70bf50a99a48d7321c165b82afafa8483b9ebebf6e \
+    --hash=sha256:c5d754665edea1ecdc79e3023659cb5594372e10776f3b3734d75c2c3ce95013 \
+    --hash=sha256:c76caced0c8e9129810895f71954c72f478e30bea7d0bba7130bade396be5048 \
+    --hash=sha256:ca147d9cde38b481085408e1d4277ee834cb88bcc31bc01933bc6513340071bc \
+    --hash=sha256:d7bd001a40997f0c9a9ac10a57663a9397959966a5a365bb24a4d1a17aa60175 \
+    --hash=sha256:db91fe985f2264ab49b3450ab7e2a59c34f7eaf3bf283d6b9e2f9ee02b29e533 \
+    --hash=sha256:e0e270a4f5b42c67362d9c6af648cb86f6a00b20767553cfd734c914e1e2a5e0 \
+    --hash=sha256:ed714b864349704a7a719ec7199eec3f9cd15c190ecf6e10c34b5a0c549c5c18 \
+    --hash=sha256:edc16c8e24605d0a7925afaf99dbcbdc3f98a2cdda4622f1ea34482cb3b91940 \
+    --hash=sha256:f47709c98544384d390aed34046f0573df5725d22861c0cd0a5c151bc22eedff \
+    --hash=sha256:ff10ad2d74a9a79c2984a2c709943e5362a1c898d8f3414815ea57515ae80c84
+    # via -r requirements/dev.in
 termcolor==2.2.0 \
     --hash=sha256:91ddd848e7251200eac969846cbae2dacd7d71c2871e92733289e7e3666f48e7 \
     --hash=sha256:dfc8ac3f350788f23b2947b3e6cfa5a53b630b612e6cd8965a015a776020b99a
@@ -1381,9 +1381,9 @@ trio==0.22.0 \
     # via
     #   selenium
     #   trio-websocket
-trio-websocket==0.9.2 \
-    --hash=sha256:5b558f6e83cc20a37c3b61202476c5295d1addf57bd65543364e0337e37ed2bc \
-    --hash=sha256:a3d34de8fac26023eee701ed1e7bf4da9a8326b61a62934ec9e53b64970fd8fe
+trio-websocket==0.10.0 \
+    --hash=sha256:5a7a256cf45532a0e876b55c173f96228e95445869b6dfdb1556015de89796fa \
+    --hash=sha256:ae0a8bab4b0014510aca37fb67a6eaaa77e64aba372a7333845d2eb991989ae2
     # via selenium
 typed-ast==1.5.4 \
     --hash=sha256:0261195c2062caf107831e92a76764c81227dae162c4f75192c0d489faf751a2 \
@@ -1423,9 +1423,9 @@ types-pyyaml==6.0.12.8 \
     --hash=sha256:19304869a89d49af00be681e7b267414df213f4eb89634c4495fa62e8f942b9f \
     --hash=sha256:5314a4b2580999b2ea06b2e5f9a7763d860d6e09cdf21c0e9561daa9cbd60178
     # via -r requirements/dev.in
-types-redis==4.5.1.4 \
-    --hash=sha256:4ad21473605b9e1f96162b1298383dcbc73daa3bec2abe1fd3e81d077753f9ab \
-    --hash=sha256:7660178754d60a4cfacf5b33ee063aa0625311791c62075cd936136627a3f7bf
+types-redis==4.5.1.5 \
+    --hash=sha256:43d92b4d6315a45bb0e9a790683ba4448ada88cd1233f3f9886fa6f783f53956 \
+    --hash=sha256:f516254bd593023110a38b77e80d5a76a7f033f1d94c53bee09a7d5d0433f34d
     # via -r requirements/dev.in
 typing-extensions==4.5.0 \
     --hash=sha256:5cb5f4a79139d699607b3ef622a1dedafa84e115ab0024e0d9c044a9479ca7cb \
@@ -1439,16 +1439,16 @@ uc-micro-py==1.0.1 \
     --hash=sha256:316cfb8b6862a0f1d03540f0ae6e7b033ff1fa0ddbe60c12cbe0d4cec846a69f \
     --hash=sha256:b7cdf4ea79433043ddfe2c82210208f26f7962c0cfbe3bacb05ee879a7fdb596
     # via linkify-it-py
-urllib3[socks]==1.26.14 \
-    --hash=sha256:076907bf8fd355cde77728471316625a4d2f7e713c125f51953bb5b3eecf4f72 \
-    --hash=sha256:75edcdc2f7d85b137124a6c3c9fc3933cdeaa12ecb9a6a959f22797a0feca7e1
+urllib3[socks]==1.26.15 \
+    --hash=sha256:8a388717b9476f934a21484e8c8e61875ab60644d29b9b39e11e4b9dc1c6b305 \
+    --hash=sha256:aa751d169e23c7479ce47a0cb0da579e3ede798f994f5816a74e4f4500dcea42
     # via
     #   -c requirements/main.txt
     #   requests
     #   selenium
-virtualenv==20.20.0 \
-    --hash=sha256:3c22fa5a7c7aa106ced59934d2c20a2ecb7f49b4130b8bf444178a16b880fa45 \
-    --hash=sha256:a8a4b8ca1e28f864b7514a253f98c1d62b64e31e77325ba279248c65fb4fcef4
+virtualenv==20.21.0 \
+    --hash=sha256:31712f8f2a17bd06234fa97fdf19609e789dd4e3e4bf108c3da71d710651adbc \
+    --hash=sha256:f50e3e60f990a0757c9b68333c9fdaa72d7188caa417f96af9e52407831a3b68
     # via pre-commit
 wsproto==1.2.0 \
     --hash=sha256:ad565f26ecb92588a3e43bc3d96164de84cd9902482b130d0ddbaa9664a85065 \

diff --git a/requirements/main.in b/requirements/main.in
@@ -27,6 +27,10 @@ pydantic
 PyJWT
 pyyaml
 redis>=4.2.0rc1
-safir[db,kubernetes]>=3.5.0
+safir[db,kubernetes]>=3.8.0
 sqlalchemy
 structlog
+
+# Uncomment this, change the branch, comment out safir above, and run make
+# update-deps-no-hashes to test against an unreleased version of Safir.
+#safir[db,kubernetes] @ git+https://github.com/lsst-sqre/safir@tickets/DM-38272