diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index cf9d36fc5..eb17e0b1d 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -1,4 +1,3 @@
-# TEMPORARILY DISABLED — re-enable by removing open-pull-requests-limit: 0
 version: 2
 updates:
   # Python (root pyproject.toml)
@@ -6,21 +5,21 @@ updates:
     directory: "/"
     schedule:
       interval: "weekly"
-    open-pull-requests-limit: 0
+    open-pull-requests-limit: 5
 
   # JavaScript (codeflash npm package)
   - package-ecosystem: "npm"
     directory: "/packages/codeflash"
     schedule:
       interval: "weekly"
-    open-pull-requests-limit: 0
+    open-pull-requests-limit: 5
 
   # GitHub Actions
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
       interval: "weekly"
-    open-pull-requests-limit: 0
+    open-pull-requests-limit: 5
 
   # code_to_optimize/ directories are test fixtures — do NOT update them.
-  # Dependabot PRs for these always fail (missing secrets) and waste CI.
+  # Their package-lock.json files are gitignored to prevent Dependabot alerts.
diff --git a/.gitignore b/.gitignore
index 8f9f05ab6..1a4e87d22 100644
--- a/.gitignore
+++ b/.gitignore
@@ -275,6 +275,9 @@ tessl.json
 **/dist-nuitka/**
 **/.npmrc
 
+# Test fixture lockfiles — prevents Dependabot from scanning them
+code_to_optimize/**/package-lock.json
+
 # Tessl auto-generates AGENTS.md on install; ignore to avoid cluttering git status
 AGENTS.md
 .serena/