diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 38920ead7a..dc5bcaed14 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -7,6 +7,7 @@ updates:
     package-ecosystem: "pip"
     directory: "/"
     open-pull-requests-limit: 10
+    versioning-strategy: "increase-if-necessary"
     schedule:
       interval: "weekly"
     # Group patch updates to packages together into a single PR, as they rarely
diff --git a/changelog.d/19743.misc b/changelog.d/19743.misc
new file mode 100644
index 0000000000..35c4841386
--- /dev/null
+++ b/changelog.d/19743.misc
@@ -0,0 +1 @@
+Configure Dependabot to only update Python dependencies in the lockfile, unless widening upper bounds.