chore: enforce 7-day minimum release age for deps and dependabot

.github/dependabot.yml

@@ -23,6 +23,10 @@ updates:
       # Only allow @types/node updates that match the Node.js major version (24.x)
       - dependency-name: "@types/node"
         update-types: ["version-update:semver-major"]
+    # Mirror pnpm's minimumReleaseAge: wait before proposing freshly published versions.
+    # Dependabot does not read pnpm-workspace.yaml, so this must be configured here.
+    cooldown:
+      default-days: 7
     open-pull-requests-limit: 10
 
   # GitHub Actions
@@ -31,4 +35,6 @@ updates:
     schedule:
       interval: "weekly"
       day: "monday"
+    cooldown:
+      default-days: 7
     open-pull-requests-limit: 5

pnpm-workspace.yaml

@@ -83,6 +83,7 @@ allowBuilds:
   protobufjs: true
   ssh2: true
 
+minimumReleaseAge: 10080
 minimumReleaseAgeStrict: true
 # First-party btravstack packages — the maturity delay guards against
 # third-party supply-chain risk, which does not apply to our own org's libraries.