Dependabot updating transitive dependencies?

I recently configured Dependabot in a number of my repositories for the first time. I initially saw a number of Dependabot-created PRs for minor/major/patch version bumps for “direct” dependencies (dependencies references in the package.json in my repositories). Today, however, I’m seeing what appears to be a transitive dependency Dependabot PR which is bumping a transitive dependency where the only changed file in the PR is my package-lock.json.

If Dependabot does, in fact, create PRs for transitive dependencies, I want to confirm that it only does this for minor and patch version increases based on the notion that only major version increases would include breaking changes.