From 776a33a9e389f7b2d5cc1f091da90aa0e7987e7d Mon Sep 17 00:00:00 2001
From: Alex Janousek <alex.janousek@gsa.gov>
Date: Mon, 2 Mar 2026 13:56:56 -0500
Subject: [PATCH] Disable automatic version updates from dependabot (#2246)

---
 .github/dependabot.yml | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 3683f2989..9da4ce39c 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -3,16 +3,19 @@
 # Please see the documentation for all configuration options:
 # https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
 
+# Note: Setting open-pull-requests-limit to 0 disables automatic version update PRs.
+# Security updates are still active and managed separately in repository settings under
+# "Security & analysis" > "Dependabot security updates"
+
 version: 2
 updates:
   - package-ecosystem: "pip" # See documentation for possible values
     directory: "/" # Location of package manifests
     schedule:
       interval: "daily"
+    open-pull-requests-limit: 0 # Disable version update PRs; security updates still active
     labels:
       - "dependabot" # Custom label to identify Dependabot PRs
-    assignees:
-      - "alexjanousekGSA"
     ignore:
       # gevent 25.8+ breaks Celery/Kombu compatibility (potentially)
       - dependency-name: "gevent"