Dependabot watches all the transitive dependencies in your lock files. For better and worse. For worse in that it's not a great developer experience to get a PR on a low level transitive dependencies, which is also one of the largest complaints about Dependabot that it often feels too low level and not working at the dependency level you are working at. But Dependabot (and npm audit) still exist to audit all your low level transitive dependencies in your lock files.