ci: add minimumReleaseAge to Renovate config

This change introduces a 4-hour delay for all npm dependency updates to mitigate the risk of dependency chain attacks. This provides a window to detect and react to malicious publications.

The cross-repo Angular dependencies are excluded from this rule as they are trusted sources.

Author: alan-agius4

renovate-presets/default.json5

@@ -70,6 +70,20 @@
       matchManagers: ['npm'],
     },
 
+    // Delay NPM updates to mitigate dependency chain attacks by malicious actors.
+    // This rule only affects direct dependencies.
+    {
+      minimumReleaseAge: '4 hours',
+      matchManagers: ['npm'],
+      excludePackageNames: [
+        '@angular-devkit/**',
+        '@angular/**',
+        '@schematics/**',
+        'angular/**',
+        'ng-packagr',
+      ],
+    },
+
     // ============================================================================
     // ECOSYSTEM-SPECIFIC GROUPING
     // ============================================================================
@@ -95,6 +109,7 @@
       enabled: true, // Enable NPM updates of cross-repo dependencies on all branches.
       groupName: 'cross-repo angular dependencies',
       followTag: 'next',
+      minimumReleaseAge: null,
       separateMajorMinor: false,
       schedule: ['at any time'],
       matchPackageNames: [