diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 8273037..b5f1698 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -12,3 +12,9 @@ updates:
       interval: "weekly"
     commit-message:
       prefix: "deps"
+    ignore:
+      # bcrypt 5.x is incompatible with passlib 1.7.x
+      # (passlib raises "(trapped) error reading bcrypt version" and fails X1).
+      # Keep pinned to <5 until passlib publishes a compatible release.
+      - dependency-name: "bcrypt"
+        versions: [">=5.0"]
diff --git a/pyproject.toml b/pyproject.toml
index 3b4a6a5..8fca283 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -52,7 +52,7 @@ web = [
     "alembic>=1.13.0",
     "python-jose[cryptography]>=3.3.0",
     "passlib[bcrypt]>=1.7.4",
-    "bcrypt<6",
+    "bcrypt<5",
     "python-multipart>=0.0.9",
     "strawberry-graphql[fastapi]>=0.220.0",
     "redis>=5.0.0",
@@ -73,7 +73,7 @@ all = [
     "alembic>=1.13.0",
     "python-jose[cryptography]>=3.3.0",
     "passlib[bcrypt]>=1.7.4",
-    "bcrypt<6",
+    "bcrypt<5",
     "python-multipart>=0.0.9",
     "strawberry-graphql[fastapi]>=0.220.0",
     "redis>=5.0.0",