diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index c004e1c1d2..b482fddb94 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -148,6 +148,10 @@ updates:
       day: "monday"
     cooldown:
       default-days: 14
+    # Keep lower bounds (e.g. Flask>=1.0.4 in install.txt) low: only raise a
+    # floor when the latest release is incompatible with the current range.
+    # Exact (==) pins in ci/dev/testing still update as normal.
+    versioning-strategy: increase-if-necessary
     groups:
       pip-dependencies:
         applies-to: version-updates
@@ -157,3 +161,8 @@ updates:
         applies-to: security-updates
         patterns:
           - "*"
+    # jupyterlab is pinned <4.0.0: jupyterlab 4.x ships jlpm as Yarn Berry, which
+    # cannot consume @plotly/dash-jupyterlab's Yarn 1 lockfile and breaks the build.
+    ignore:
+      - dependency-name: "jupyterlab"
+        versions: [">=4.0.0"]