We've changed the way Dependabot updates insecure dependencies: we now generate a PR to update you to the minimal fixed version, rather than the latest version.
When a security vulnerability is announced you want to react as fast as possible. Updating to the minimal fixed version makes that easier - there's less to review, and less chance of breaking changes.
If you have Dependabot set up to only create security-fix PRs this change will make a big difference to the PRs you see. If you're using Dependabot to keep your dependencies up-to-date you'll barely notice it: your updates will have been minimal already.
Stay safe out there!