ci: add minimumReleaseAge to Renovate config

This change introduces a 4-hour delay for all npm dependency updates to mitigate the risk of dependency chain attacks. This provides a window to detect and react to malicious publications.

The cross-repo Angular dependencies are excluded from this rule as they are trusted sources.

Author: alan-agius4

renovate-presets/default.json5

@@ -73,6 +73,12 @@
     // ============================================================================
     // ECOSYSTEM-SPECIFIC GROUPING
     // ============================================================================
+    // Delay NPM updates to mitigate dependency chain attacks by malicious actors.
+    // This rule only affects direct dependencies.
+    {
+      minimumReleaseAge: '4 hours',
+      matchManagers: ['npm'],
+    },
 
     // Group Bazel updates
     {
@@ -95,6 +101,7 @@
       enabled: true, // Enable NPM updates of cross-repo dependencies on all branches.
       groupName: 'cross-repo angular dependencies',
       followTag: 'next',
+      minimumReleaseAge: null,
       separateMajorMinor: false,
       schedule: ['at any time'],
       matchPackageNames: [