Dependabot still applying semver labels when it should not

[jmeridth]

Describe the bug

TLDR

Why is Dependabot still applying semver labels to PRs when it should not?

DETAILS

We're seeing a weird situation where Dependabot is applying a major label automatically to our PRs when a dependency is making a major version update.

Example PR where Dependabot is still applying semver labels (Dependabot added the major label. I removed it)

Example PR where it does not (same dependabot.yaml config as repo in example above)

This should not be happening any longer because we have hard coded the labels to apply in our dependabot.yaml config (9/16/2025). Our other OSPO GitHub Actions have the same setup and they aren't seeing this weirdness. This aligns with our documentation where it states The labels specified are used instead of the default labels (link)

To Reproduce

1. Receive a dependabot PR that has a dependency that has a major version update

Expected behavior

Dependabot does not add semver based labels to its pull requests

Screenshots

Additional context

This is not happening on the other GitHub OSPO GitHub Actions repositories. They all have the same dependabot.yml config and no semver labels are being applied to their Dependabot PRs.

[jmeridth]

I stand corrected on this. If the semver label is present in the repository, dependabot will still use it. This contradicts the documentation. I'll be issuing a pull request to the docs about this.

I have removed the major label from this repository for now to prevent any further major semver bumps.

Just yesterday I merged 3 PRs. One of the three had the major label but didn't have the release label. I added the release label to the last PR (no major label) and the release action still bumped the semver major value. 🤦

Will get this fixed. Closing this issue for now.