Dependabot Security Updates Not Using Config

We have a Dependabot config file in .github/dependabot.yml, which Dependabot properly uses to update our dependencies. Our config also includes setting a commit message prefix, as we verify the format of PR titles using GitHub Actions. We setup the checks to happen weekly.

We also have the security updates enabled but those PRs do not use that config, as evidenced by the lack of commit message prefix. I would expect it to use the same config, or at least have some way to configure the security updates PR, as those tend to be the most critical PRs but require more time to reconfigure the PR and commit message to be consistent with all other PRs (including “normal” Dependabot PRs). Our config correctly has Dependabot opening PRs with the prefix for other packages in the same ecosystem-directory, so we can also rule out a security update happening on something not specified in the Dependabot configuration. Is there another configuration file we might be missing to setup security commit message prefixes? Ideally I would like to see it either reuse the existing prefix or even allow for a new prefix type so that we can distinguish those updates more clearly.

I tried to look for other reports of this behavior but didn’t see

This is a problem for us as well, we have a bunch of automation built around the commit messages so we need a mechanism of prefixing the dependabot commits raised as security issues.