How do I prevent Dependabot from creating random branches in my repo?

I have recently set up Dependabot to protect against malicious packages and security vulnerabilities (it's supposed to monitor for vulnerabilities on main and dev in both the backend's pom.xml and the frontend's package.json). This works pretty well:

version: 2
updates:
  - package-ecosystem: "maven"
    directory: "/backend/"  # location of pom.xml
    schedule:
      interval: "daily"
    target-branch: "dev"
  
  - package-ecosystem: "npm"
    directory: "/frontend/"  # location of package.json
    schedule:
      interval: "daily"
    target-branch: "dev"

  - package-ecosystem: "maven"
    directory: "/backend/"  # location of pom.xml
    schedule:
      interval: "daily"
    target-branch: "main"
  
  - package-ecosystem: "npm"
    directory: "/frontend/"  # location of package.json
    schedule:
      interval: "daily"
    target-branch: "main"

But there's a problem. Whenever it finds something (usually it recommends I bump up a version without giving me an actual reason why) it opens up a new PR and opens a new branch. The Pull Request I can live with (even though most of them seem to just tell me "Hey! There's a new release of this dependancy" without any actual security reason), but I don't want there to be so many Dependabot branches in my repo. How do I keep my repo secure from malicious dependancies without getting it swamped by random branches?

Answer

By configuring the groups option in your dependabot.yml file, you can combine multiple updates into a single pull request and branch. This is the most effective way to reduce the number of branches.