Dependabot config (V2)

Hi

I want to configure dependabot to do PR only in dev branch, and only when there are security issues. In the old version it was done using

  target_branch: "develop"
  allowed_updates:
      - match:
          update_type: "security"

I have been reading this topic How to get Dependabot to trigger for security updates only?, and apparently the dependabot.yml file is no needed.

However, it only detects vulnerabilities in the main branch, not in develop.

If i create the dependabot.yml, it updates all the dependencies (not only the ones with security issues), but it still doesnt report the security vulnerability in development branch

Is there any way to activate dependabot only in development branch, and only for security issues?

My repo to test this is GitHub - javixeneize/dependabot_test

Thanks