diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 87e80ce7e5..849d44efc9 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -15,8 +15,14 @@ updates:
   # Keep the pinned dev tooling in pyproject.toml's [dependency-groups] and the
   # uv.lock current. Without this the exact pins (e.g. pytest) would never be
   # bumped automatically and would silently rot.
+  #
+  # `allow: dependency-type: direct` restricts updates to dependencies declared
+  # in pyproject.toml. Transitive deps in uv.lock are then only updated as a
+  # side effect of a direct bump, never via a standalone PR.
   - package-ecosystem: "uv"
     directory: "/"
+    allow:
+      - dependency-type: "direct"
     schedule:
       interval: "weekly"
     groups: