chore: harden supply chain with cooldown and version pinning

[yeojz]

Summary

• Dependabot: add cooldown (default-days: 7, semver-major-days: 14) to reduce PR noise from rapidly iterating dependencies
• pnpm: add minimumReleaseAge: 10080 (1 week) to delay installing freshly published packages
• Docker: pin node:24-alpine to node:24.14.1-alpine3.22 for reproducible builds

[github-actions]

Coverage Report

Status	Category	Percentage	Covered / Total
🔵	Lines	100% (🎯 100%)	1556 / 1556
🔵	Statements	100% (🎯 100%)	1577 / 1577
🔵	Functions	100% (🎯 100%)	346 / 346
🔵	Branches	100% (🎯 100%)	824 / 824

File Coverage

No changed files found.

Generated in workflow #374 for commit 741f2eb by the Vitest Coverage Report Action

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 100.00%. Comparing base (bef64b8) to head (741f2eb).
⚠️ Report is 1 commits behind head on main.
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@            Coverage Diff            @@
##              main      #826   +/-   ##
=========================================
  Coverage   100.00%   100.00%           
=========================================
  Files           59        59           
  Lines         1996      1996           
  Branches       428       404   -24     
=========================================
  Hits          1996      1996           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[codecov]

Bundle Report

Bundle size has no change ✅