diff --git a/public/partials/anonymize.htm b/public/partials/anonymize.htm
index 5b173db..c593f2b 100644
--- a/public/partials/anonymize.htm
+++ b/public/partials/anonymize.htm
@@ -102,6 +102,9 @@
                 <div class="invalid-feedback" ng-show="anonymize.commit.$error.pattern || anonymize.commit.$error.required">
                   The commit SHA is not valid.
                 </div>
+                <div class="invalid-feedback" ng-show="anonymize.commit.$error.exists">
+                  This commit no longer exists in the repository. Click refresh to get the latest.
+                </div>
               </div>
             </div>
 
diff --git a/public/script/app.js b/public/script/app.js
index 4b97128..1ea7d1d 100644
--- a/public/script/app.js
+++ b/public/script/app.js
@@ -1600,11 +1600,11 @@ angular
           }
           const selected = $scope.branches.filter((b) => b.name == $scope.source.branch);
           if (selected.length > 0) {
-            // Preserve the saved commit when editing with auto-update off:
-            // refreshing branches must not silently bump the pinned SHA to
-            // GitHub HEAD. Same intent as the source.branch watcher (#360),
-            // extended to cover the branches refresh path.
+            // When the user explicitly clicks refresh (force=true), always
+            // update the commit to the latest on the branch. Only preserve
+            // the saved commit on the initial edit-page load (#360).
             const keepSavedCommit =
+              !force &&
               $scope.isUpdate &&
               !$scope.options.update &&
               $scope._originalBranch === $scope.source.branch &&
@@ -1957,6 +1957,7 @@ angular
         setValidity("sourceUrl", "missing", true);
         setValidity("sourceUrl", "access", true);
         setValidity("sourceUrl", "github", true);
+        setValidity("commit", "exists", true);
         setValidity("conference", "activated", true);
         setValidity("terms", "format", true);
         $scope.termsRegexWarning = false;
@@ -1977,6 +1978,7 @@ angular
           case "invalid_terms_format": setValidity("terms", "format", false); break;
           case "repo_not_found": setValidity("sourceUrl", "missing", false); break;
           case "repo_not_accessible": setValidity("sourceUrl", "access", false); break;
+          case "commit_not_found": setValidity("commit", "exists", false); break;
           case "conf_not_activated": setValidity("conference", "activated", false); break;
         }
       }
diff --git a/src/server/routes/repository-private.ts b/src/server/routes/repository-private.ts
index 760ba94..f03f812 100644
--- a/src/server/routes/repository-private.ts
+++ b/src/server/routes/repository-private.ts
@@ -431,6 +431,11 @@ router.post(
           httpStatus: 404,
         });
       }
+
+      await repository.getCommitInfo(repoUpdate.source.commit, {
+        accessToken: user.accessToken,
+      });
+
       const removeRepoFromConference = async (conferenceID: string) => {
         const conf = await ConferenceModel.findOne({
           conferenceID,
@@ -542,6 +547,10 @@ router.post("/", async (req: express.Request, res: express.Response) => {
       });
     }
 
+    await repository.getCommitInfo(repoUpdate.source.commit, {
+      accessToken: user.accessToken,
+    });
+
     const repo = new AnonymizedRepositoryModel();
     repo.repoId = repoUpdate.repoId;
     repo.anonymizeDate = new Date();