Package manager cooldown

[gbennett-squarespace]

Inspired by recent events and this PR:
#3791

Several rules added, all revolving around package managers and their configuration.

Cooldown/Minimum Age for:
NPM: vun, pnpm, renovate, yarn
Python: uv

For pnpm also add rules for block exotic subdependencies and trust policy, both related settings to help avoid installing malicious packages.

Rules have been tested in our environment with good success.

One semi-false positive is because pyproject.toml can be used by other package managers (Poetry for example), it'll flag it as missing the setting (see comment below). Also, if the repo is on too old a version of a package manager, it still flags it. Neither of these are easily solved in the context of the rule running.

In both cases I think there's still a strong argument for raising the finding, as it highlights a security gap in the environment.

[CLAassistant]

All committers have signed the CLA.

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[mleykin-squarespace]

LGTM

[gbennett-squarespace]

expected a single document in the stream
  in "package_managers/pnpm/pnpm-trust-policy.test.yaml", line 3, column 1
but found another document
  in "package_managers/pnpm/pnpm-trust-policy.test.yaml", line 6, column 1
expected a single document in the stream
  in "package_managers/dependabot/dependabot-missing-cooldown.test.yaml", line 2, column 1
but found another document

Curious as to the rational of requiring only a single yaml spec in each file. This makes test files more difficult, and there's plenty of legitimate use cases for a multi spec yaml file. 🤔

One semi-false positive is because pyproject.toml can be used by other package managers (Poetry for example)

Note on this, this doesn't seem to actually be true, it's an artifact of our environment and folks copy/pasting pyproject.toml with empty tool.uv in there. 😭

No tool.uv and the rule flags correctly (skipping poetry projects with a correct toml)

[0xDC0DE]

Thanks for your contribution!
Using proper language parsers, metavariable-comparison for threshold validation, and multi-branch detection (missing, too low, invalid format, empty) is exactly the right approach. The test coverage is also great!

Curious as to the rational of requiring only a single yaml spec in each file. This makes test files more difficult, and there's plenty of legitimate use cases for a multi spec yaml file. 🤔

That's fair feedback, I made #3809 to fix that.

In the meantime, can you take a look at fixing the errors from the rule lints?

This rule has a multi-line message field, which may display poorly in a terminal. Consider ensuring it is on one line. For example, use message: >-, not message: |.