Describe the proposed change(s).

As discussed in #38766, it would be a very positive user experience improvement if we were to integrate pnpm's minimumReleaseAgeExclude with Renovate raising security updates.

This would require we follow the rough flow of:

• if this is not a vulnerability alert, do nothing
• parse the pnpm-workspace.yaml (as a raw YAML document)
• determine if minimumReleaseAgeExclude is found
• if minimumReleaseAgeExclude isn't found, create it
• append to the minimumReleaseAgeExclude YAML type:
  • a comment, indicating that this is a Renovate-issued security upgrade?
  • the version upgrade

Depending on how we do it, we need to consider:

• what happens to the existing YAML document, and relevant formatting, etc? Do we risk breaking / reformatting too much?
  • likely already covered in existing functionality in lib/modules/manager/npm/update/dependency/pnpm.ts
• where do we want to create minimumReleaseAgeExclude if one's not already found? Immediately after packages or minimumReleaseAge? At the bottom of the file?

This will avoid ERR_PNPM_NO_MATCHING_VERSION errors requiring manual human intervention.