Increase Renovate config:best-practices minimumReleaseAgeNpm from 3 to 14 days

[leotm]

// https://docs.renovatebot.com/presets-config/#configbest-practices
{
  "extends": [
    "config:recommended",
    "docker:pinDigests",
    "helpers:pinGitHubActionDigests",
    ":configMigration",
    ":pinDevDependencies",
    "abandonments:recommended",
    "security:minimumReleaseAgeNpm"
  ]
}

// https://docs.renovatebot.com/presets-security/#securityminimumreleaseagenpm
{
  "packageRules": [
    {
      "matchDatasources": [
        "npm"
      ],
      "minimumReleaseAge": "3 days",
      "internalChecksFilter": "strict"
    },
    {
      "description": "Do not require Minimum Release Age for update types that are controlled by the package manager",
      "matchDatasources": [
        "npm"
      ],
      "matchUpdateTypes": [
        "lockFileMaintenance"
      ],
      "prBodyNotes": [
        "⚠️ Renovate's lock file maintenance functionality does not support validating Minimum Release Age, as the package manager performs the required changes to update package(s). Confirm whether your package manager perform its own validation for the Minimum Release Age of packages."
      ],
      "minimumReleaseAge": null
    },
    {
      "description": "Do not require Minimum Release Age for package replacements",
      "matchDatasources": [
        "npm"
      ],
      "matchUpdateTypes": [
        "replacement"
      ],
      "prBodyNotes": [
        "⚠️ Renovate's replacement functionality [does not currently](https://github.com/renovatebot/renovate/issues/39400) wire in the release age for a package, so the Minimum Release Age checks can apply. You will need to manually validate the Minimum Release Age for these package(s)."
      ],
      "minimumReleaseAge": null
    }
  ]
}

Wait until the npm package is three days old before raising the update. This a) introduces a short delay to allow for malware researchers and scanners to (possibly) detect any malicious behaviour in packages, and b) prevents the maintainer and/or NPM from unpublishing a package you already upgraded to, breaking builds.

https://docs.renovatebot.com/configuration-options/#prevent-holding-broken-npm-packages

npm packages less than 72 hours (3 days) old can be unpublished from the npm registry, which could result in a service impact if you have already updated to it. Set minimumReleaseAge to 3 days for npm packages to prevent relying on a package that can be removed from the registry:

https://docs.renovatebot.com/merge-confidence/#package-ranking

npm packages less than three days old can be unpublished, which can result in a service impact if you have updated to a package that gets unpublished. This is why npm packages can only get the High Confidence badge when they are at least three days old.

https://docs.renovatebot.com/key-concepts/minimum-release-age/#what-is-minimum-release-age

For example, minimumReleaseAge=14 days would ensure that a package update is not suggested by Renovate until 14 days after its release, which allows plenty of time to allow security researchers and automated security tools to catch malicious intent in packages.

https://docs.renovatebot.com/upgrade-best-practices/#wait-two-weeks-before-automerging-third-party-dependencies

Wait two weeks before automerging third-party dependencies

If you automerge third-party dependencies, we recommend setting minimumReleaseAge to "14 days". By waiting two weeks before automerging the dependencies, you give the upstream registries time to pull malicious dependencies, before Renovate merges them. If you want a third-party dependency update now, instead of waiting two weeks, you can request the update from the Dependency Dashboard.