Dependabot security/vulnerability alerts do not assign reviewers as specified in the dependabot.yml

[samturrell]

Select Topic Area

Bug

Body

Given the following dependabot config:

version: 2
updates:
    - package-ecosystem: npm
      target-branch: develop
      directory: /
      schedule:
          interval: weekly
          day: monday
          time: '09:00'
      open-pull-requests-limit: 20
      reviewers:
          - samturrell

I would expect dependabot security alert/vulnerability PRs to be have the same reviewers added as in the config file. This works correctly for normal dependency updates, but currently security/vulnerability alert PRs just sit unassigned and are often missed.

Is there something else i should be doing here?