build: add cooldown to 4 days to enhance security control

Adds `exclude-newer = "4 days"` under `[tool.uv.pip]` in `pyproject.toml`, preventing uv from resolving packages published within the last 4 days. This aligns with the constraint already referenced in `scripts/ci/prek/upgrade_important_versions.py` and reduces exposure to supply chain attacks that exploit newly published malicious package versions. The `uv.lock` is regenerated under this constraint.

Author: Lee-W

pyproject.toml

@@ -147,6 +147,10 @@ version_provider = "uv"
 version_scheme = "pep440"
 annotated_tag = true
 
+[tool.uv.pip]
+# Synchroonize with scripts/ci/prek/upgrade_important_versions.py
+exclude-newer = "4 days"
+
 [tool.uv.build-backend]
 module-name = "commitizen"
 module-root = ""