diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 2ba298d..ac1cab1 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -5,3 +5,12 @@ updates:
     schedule:
       interval: "weekly"
     open-pull-requests-limit: 10
+    ignore:
+      # TypeScript major bumps require workspace-wide migration across the four
+      # auth.* OSS repos (auth.provider / auth.policy-verifier / auth.proxy /
+      # auth.utils). A per-repo Dependabot bump would split TS versions across
+      # the workspace and complicate dev-tool onboarding. TS major upgrades are
+      # handled as a deliberate cross-repo PR, not auto-bumped.
+      - dependency-name: "typescript"
+        update-types:
+          - "version-update:semver-major"