fix: switch packageManager devEngines to warn + add minimumReleaseAge

Two related supply-chain hygiene changes:

1. devEngines.packageManager.onFail: error → warn
   pnpm v10 still shells out to system npm for several subcommands
   (`pnpm version`, `pnpm config`, etc.) and several CI steps in this
   repo invoke npm directly (`npm install`, `npm i @octokit/...`,
   `npm install -g @anthropic-ai/claude-code`). With onFail:error those
   trip EBADDEVENGINES. `warn` keeps the visible signal without
   blocking. Also pins version to 10.33.0 for clarity.

2. Add minimumReleaseAge: 1440 to pnpm-workspace.yaml
   24-hour quarantine on new package versions. Mitigates compromised
   npm packages that get discovered and yanked within the first day
   (shai-hulud worm, nx self-replicator, etc.). Brings this repo in
   line with the rest of the pnpm-migrated public repos.

Mirrors the rollout in apify/apify-client-js#895 + #896.

Author: B4nan

package.json

@@ -11,15 +11,16 @@
         "typescript": "^6.0.2",
         "vitest": "^4.1.2"
     },
-    "packageManager": "pnpm@10.33.0+sha512.10568bb4a6afb58c9eb3630da90cc9516417abebd3fabbe6739f0ae795728da1491e9db5a544c76ad8eb7570f5c4bb3d6c637b2cb41bfdcdb47fa823c8649319",
+    "packageManager": "pnpm@10.33.4",
     "devEngines": {
         "runtime": {
             "name": "node",
             "onFail": "error"
         },
         "packageManager": {
             "name": "pnpm",
-            "onFail": "error"
+            "version": "10.33.4",
+            "onFail": "warn"
         }
     }
 }

pnpm-workspace.yaml

@@ -1,2 +1,7 @@
 packages:
   - execute-workflow
+
+# Supply-chain protection: require packages to be at least 24h old before pnpm will install them.
+# Mitigates compromised npm packages discovered and yanked within the first day (shai-hulud worm,
+# nx self-replicator, etc.). 1440 minutes = 24 hours.
+minimumReleaseAge: 1440