How to disable auto merge for dependabot security updates?

[dmason30]

We use this action to auto merge our dependabot PRs that is configured to create PRs against our non-default branch develop.

Our dependabot.yml is this:

version: 2
registries:
  composer-repository-nova-laravel-com:
    type: composer-repository
    url: https://nova.laravel.com
    username: "${{secrets.NOVA_USERNAME}}"
    password: "${{secrets.NOVA_PASSWORD}}"

updates:
- package-ecosystem: composer
  directory: "/"
  schedule:
    interval: weekly
  open-pull-requests-limit: 20
  target-branch: develop
  versioning-strategy: increase
  registries:
  - composer-repository-nova-laravel-com

However, when dependabot runs for JavaScript security updates it makes them against our default branch e.g. master which we don't want but can accept if our merge me workflow didn't auto merge them.

I know adding JavaScript to the depandbot.yml may fix it but we don't want to be getting any dependabot updates for javascript at this time.