Before: Dependabot was configured to only open PRs for prod NPM dependencies. I think this was originally set up in the hope that it would prevent security alerts being opened for vulnerabilities in build dependencies. However, it doesn't prevent the alerts being raised, it just prevents Dependabot being able to automatically open PRs to fix them.
Now: we allow Dependabot to open PRs for both build and prod NPM dependencies. The open pull requests limit of 0 will still prevent Dependabot opening PRs for non-security updates (as that would result in an unmanageable number of PRs).
Before: Dependabot was configured to only open PRs for prod NPM dependencies. I think this was originally set up in the hope that it would prevent security alerts being opened for vulnerabilities in build dependencies. However, it doesn't prevent the alerts being raised, it just prevents Dependabot being able to automatically open PRs to fix them.
Now: we allow Dependabot to open PRs for both build and prod NPM dependencies. The open pull requests limit of 0 will still prevent Dependabot opening PRs for non-security updates (as that would result in an unmanageable number of PRs).