feat: add min-release-age-exclude with glob pattern support

[caseyjhol]

Summary

• add a new npm config option, min-release-age-exclude, to exclude selected packages from before / min-release-age publish-time filtering
• support both exact package names and glob patterns (for example @myorg/*)
• apply the exclusion behavior consistently across manifest picking and query/outdated logic, with tests and snapshot updates

Motivation

min-release-age is useful for supply-chain risk reduction, but teams often need fast updates for internal packages or urgent CVE responses. This adds an exclusion mechanism so strict age policies can coexist with targeted exceptions.

Changes

• config definition + flattening to flatOptions.minReleaseAgeExclude
• glob matching for excluded package names in publish-time filtering
• consistent behavior in arborist query/outdated paths
• tests for config flattening and exclusion behavior (exact + glob)
• docs/snapshot updates for the new option

Test plan

• run focused config tests for min-release-age-exclude flattening
• run arborist query selector tests covering before + exclusion behavior
• refresh docs snapshots and verify generated help/config output updates

Related issues

• Closes npm/cli#8994
• Also addresses related request in npm/cli#8979 comment

[vyancharuk]

Hi @wraithgar @owlstronaut @manzoorwanijk 👋 - friendly ping on this one! This PR adds min-release-age-exclude and closes #8994, which is a much-needed exclusion option for teams using min-release-age. Review feedback from @ltomasini-cc has been addressed. Would love to get this reviewed as soon as you can. Thanks!

[wraithgar]

This is a feature that overlaps with several other things folks want, including allowing dependency types and allowing lifecycle scripts. Because of that we have an rfc discussion ongoing in npm/rfcs#861 to try to come up with something that will work as a pattern for all of these approaches. We don't want to throw quick solutions at this which are hard to maintain or implement.

[JamieMagee]

You added min-release-age-exclude but not min-release-age here. Intentional?

[JamieMagee]

This pulls in minimatch, but it's not in npm-pick-manifest's package.json. It resolves right now purely because the root has minimatch@^10.2.5 and Node hoists it. Installed on its own, this throws Cannot find module 'minimatch'. Add it to that package's deps when you move the change upstream.

[JamieMagee]

Nice work on this, the feature design is solid. One thing blocks it though: the actual exclusion logic is a hand-edit to node_modules/npm-pick-manifest, and that's not a workspace here, it's an external dep. That edit gets blown away the next time the dep is installed or bumped, and it won't be int he published package either. So isExcludedFromTimeFilter needs to go upstream into npm/npm-pick-manifest, get released, and then we bump the version in this repo to pick it up.