chore: enforce 7-day minimum release age for deps and dependabot

.github/dependabot.yml

@@ -20,6 +20,10 @@ updates:
       # Only allow @types/node patch/minor updates (block major version bumps)
       - dependency-name: "@types/node"
         update-types: ["version-update:semver-major"]
+    # Mirror pnpm's minimumReleaseAge: wait before proposing freshly published versions.
+    # Dependabot does not read pnpm-workspace.yaml, so this must be configured here.
+    cooldown:
+      default-days: 7
     open-pull-requests-limit: 10
 
   # GitHub Actions
@@ -28,4 +32,6 @@ updates:
     schedule:
       interval: "weekly"
       day: "monday"
+    cooldown:
+      default-days: 7
     open-pull-requests-limit: 5

pnpm-workspace.yaml

@@ -43,6 +43,13 @@ allowBuilds:
   esbuild: true
   lefthook: true
 
+# Supply-chain maturity delay: don't adopt a freshly published version until it
+# has been on the registry for 7 days (10080 minutes). Strict mode also validates
+# the committed lockfile against this cutoff, so a same-day-published transitive
+# dep fails the check instead of slipping in silently.
+minimumReleaseAge: 10080
+minimumReleaseAgeStrict: true
+
 auditConfig:
   ignoreGhsas:
     # vite `server.fs.deny` bypass on Windows alternate paths. Reaches us only