Security: Add cooldown period for uv to mitigate supply chain risks

[simbados]

Describe your core improvement

Currently in the dockerfile the dependecies are resolved with:

RUN \
    if ls homeassistant/home_assistant_*.whl 1> /dev/null 2>&1; then \
        uv pip install homeassistant/home_assistant_*.whl; \
    fi \
    && uv pip install \
        --no-build \
        -r homeassistant/requirements_all.txt

This introduces a large attack surface for supply chain attacks as the build will pull in the newest versions of all transitive dependencies (except the pinned versions in the constraint file). Pinning direct dependencies has only little effect as the bulk of dependencies are transitive.
Home assistant is already using uv, so it could introduce a cooldown period for dependencies (e.g. 1 day) which would look like this:

[tool.uv] 
exclude-newer = "1 day"

This could be combined with minimumReleaseAge from renovate, so direct dependencies are also only updated after a day.

Current limitations

Currently transitive dependencies are resolved at build time. Most transitive dependencies are referenced with >= which will pull in the latest version.

Technical benefits

Mitigation against most supply chain attacks

Additional context

No response