dependabot-first-cycle-floods-repo-with-prs
Enabling dependabot.yml triggers its first cron cycle on the next scheduled window (Monday 04:00) and opens one PR per configured ecosystem, creating 9 branches simultaneously. Set open-pull-requests-limit: 0 on all ecosystems to block weekly version-bump PRs while still allowing GitHub’s separate security-advisory mechanism to fire. Re-enable limit temporarily when deliberately doing a dependency refresh cycle.