chore: Apply security best practices

[smockle]

Apply security best practices: delay updates, use deterministic installs, avoid pull_request_target, review permissions, pin third-party actions, etc.

[Copilot]

Pull request overview

This PR applies small configuration changes intended to reduce supply-chain risk and noisy update churn by adding a short “cooldown” delay before adopting newly released dependency updates.

Changes:

• Add an .npmrc setting to delay adoption of very recent package releases.
• Configure Dependabot update entries to use a 3-day cooldown for both npm and GitHub Actions updates.

Show a summary per file

File	Description
.npmrc	Adds a minimum release age setting to delay consuming very new npm package versions.
.github/dependabot.yml	Adds a 3-day cooldown to Dependabot update configurations for npm and GitHub Actions.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 2/2 changed files
• Comments generated: 0

[JoyceZhu]

Not entirely sure why Guidepup tests mysteriously started failing here.

[smockle]

Not entirely sure why Guidepup tests mysteriously started failing here.

These tests have always been a little flaky, but they’re really struggling here. I’m going to go ahead and merge this anyways, since:

1. I can’t think of a reason why this PR would be the source of the failures.
2. Even if the tests were passing, at this point they’re likely testing Firefox’s native ariaNotify implementation—instead of the polyfill—so not giving much useful signal about the polyfill’s code quality. (Semi-related: Is cross browser support expected? #24 (comment))
3. This PR’s changes are important.