(FR): Implement exclusion mechanism for 'minimumReleaseAge' feature for CVE mitigation

[dburrows]

minimumReleaseAge was recently implemented which is a great addition to combat supply chain attacks, unfortunately not having an exclusion mechanism makes adoption hard.

In the situation where there's an urgent CVE that needs mitigation by immediately updating an affected package there's no way to allow that particular package to be excluded from the minimum release age.

As prior art, pnpm have already implemented a mechanism https://pnpm.io/settings#minimumreleaseageexclude so might be a good idea to align with that.

As ever, thanks for all the hard work!

[daiscog]

Additional use case: Organizations will often want to be able to consume their own packages immediately and only apply minimum release age to third party packages, so would want to exclude @my-org/* (for example) from the config.