diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index a2056a8..e98d1d0 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -11,6 +11,18 @@ updates:
     open-pull-requests-limit: 5
     reviewers:
       - "Pomdapis"
+    # Defer .NET 10 major bumps until Nexus (downstream consumer) is also
+    # ready to move; otherwise transitive System.Text.Json / Configuration.Binder
+    # downgrades break the build (NU1605). Lift this once Nexus pins .NET 10.
+    ignore:
+      - dependency-name: "Microsoft.Extensions.*"
+        update-types: ["version-update:semver-major"]
+      - dependency-name: "Microsoft.AspNetCore.*"
+        update-types: ["version-update:semver-major"]
+      - dependency-name: "Serilog.Settings.Configuration"
+        update-types: ["version-update:semver-major"]
+      - dependency-name: "System.Text.Json"
+        update-types: ["version-update:semver-major"]
     groups:
       microsoft-extensions:
         patterns:
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 0d47284..d1187e0 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -50,6 +50,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Changed
 
 - CodeQL Default Setup switched from `default` to `extended` query suite — adds maintainability/quality queries on top of security (csharp + actions).
+- Dependabot now skips semver-major bumps on `Microsoft.Extensions.*`, `Microsoft.AspNetCore.*`, `Serilog.Settings.Configuration`, and `System.Text.Json` until the project moves to .NET 10 alongside Nexus (#25). Patch and minor bumps continue to flow.
 
 ### Security