Problem: The current Dependabot configuration treats the root module and the api module as independent update targets. When Dependabot bumps shared golang.org/x dependencies in the root module, it does not update the api module go.mod or its vendor directory. This causes make verify to fail with inconsistent vendoring errors. See PR #7718 and Prow job 2027188572850753536 for details.