chore: configure dependency minimum release age / cooldown

[Piccirello]

Adds a minimum release age ("cooldown") to this repo's package-manager
configuration so newly published dependency versions wait ~7 days before they
can be adopted. This reduces exposure to compromised or unstable packages that
are caught and unpublished shortly after release.

Applied per package manager found in the repo:

• Dependabot (.github/dependabot.yml): cooldown.default-days: 7 per ecosystem
• pnpm (pnpm-workspace.yaml): minimumReleaseAge: 10080 (minutes)
• npm (.npmrc): min-release-age=7 (days)
• yarn (.yarnrc.yml): npmMinimalAgeGate: "7d"
• bun (bunfig.toml): minimumReleaseAge = 604800 (seconds)
• uv (pyproject.toml): exclude-newer = "7 days"

Generated and verified with semgrep (package_managers.* rules); the check passes
after this change.

[greptile-apps]

Prompt To Fix All With AI

Fix the following 1 code review issue. Work through them one at a time, proposing concise fixes.

---

### Issue 1 of 1
.npmrc:3
**Known npm bug with tilde version ranges**

`min-release-age` was introduced in npm CLI 11.10.0 (Feb 2026) and is the correct key here. However, there is a [known bug](https://github.com/npm/cli/issues/9005) where having this setting in `.npmrc` causes `npm install` to fail with `--min-release-age cannot be provided when using --before` whenever any dependency in the tree uses a `~` version range — npm internally derives `--before` from the release-age value and then treats it as a conflict. Since most `package.json` files use tilde ranges, any direct `npm install` invocation in CI or local dev would be broken by this setting until the bug is resolved upstream.

_{Reviews (1): Last reviewed commit: "chore: configure dependency minimum rele..." | Re-trigger Greptile}

[greptile-apps]

Known npm bug with tilde version ranges

min-release-age was introduced in npm CLI 11.10.0 (Feb 2026) and is the correct key here. However, there is a known bug where having this setting in .npmrc causes npm install to fail with --min-release-age cannot be provided when using --before whenever any dependency in the tree uses a ~ version range — npm internally derives --before from the release-age value and then treats it as a conflict. Since most package.json files use tilde ranges, any direct npm install invocation in CI or local dev would be broken by this setting until the bug is resolved upstream.

Prompt To Fix With AI

This is a comment left during a code review.
Path: .npmrc
Line: 3

Comment:
**Known npm bug with tilde version ranges**

`min-release-age` was introduced in npm CLI 11.10.0 (Feb 2026) and is the correct key here. However, there is a [known bug](https://github.com/npm/cli/issues/9005) where having this setting in `.npmrc` causes `npm install` to fail with `--min-release-age cannot be provided when using --before` whenever any dependency in the tree uses a `~` version range — npm internally derives `--before` from the release-age value and then treats it as a conflict. Since most `package.json` files use tilde ranges, any direct `npm install` invocation in CI or local dev would be broken by this setting until the bug is resolved upstream.

How can I resolve this? If you propose a fix, please make it concise.