How to create PRs only for security-updates for direct dependencies?

[harshit-kochar]

Code Security Page:

Dependabot config:

# .github/dependabot.yml
version: 2
updates:
  - package-ecosystem: "npm"  # Package ecosystem, e.g., npm, pip, etc.
    directory: "/"             # Location of your dependency files (e.g., "/" for the root directory)
    schedule:
      interval: "daily"       # Frequency at which dependabot checks for updates
    # Disable version updates for npm dependencies
    open-pull-requests-limit: 0
    # Leave the constraint if the original constraint allows the new version, otherwise, bump the constraint.
    versioning-strategy: "increase-if-necessary"
    allow:
     - dependency-type: "direct"  # Only create PRs for direct dependencies
    labels:
      - "npm dependencies"
    groups:
      major-production-dependencies:
        dependency-type: "production"
        applies-to: security-updates
        update-types:
          - "major"
      minor-production-dependencies:
        dependency-type: "production"
        applies-to: security-updates
        update-types:
          - "minor"
          - "patch"
      development-dependencies:
        dependency-type: "development"
        applies-to: security-updates

I can't see some way to only create PRs for direct dependencies, I saw "There is no interaction between the settings specified in the dependabot.yml file and Dependabot security alerts, other than the fact that alerts will be closed when related pull requests generated by Dependabot for security updates are merged."; does this mean its not possible?