feat(workers/repository): raise artifact error if pending version used in an update

[jamietanna]

Changes

When using Minimum Release Age, and a package manager that doesn't
support being told an explicit version to update to (#41624) it is
possible that an artifact update leads to a different version of a
dependency being used compared to what Renovate is expecting.

This can lead to, at best, a surprising PR update, and at worst, a
supply chain attack.

We should report these cases more explicitly with an Artifact Error, to
allow the reviewers to decide what to do with the changes.

To do this, we need to re-extract package files after an update, and
determine if any of the version(s) of that dependency are using any of
the pendingVersions.

This may be slightly breaking to users, which is why this is a feat
not a fix, but isn't so breaking that it's worth leaving until the
next breaking change .

Context

Please select one of the following:

• This closes an existing Issue, Closes: Fail with an Artifact Error if a package update introduces a version bump to a pendingVersion #41622
• This doesn't close an Issue, but I accept the risk that this PR may be closed if maintainers disagree with its opening or implementation

AI assistance disclosure

Did you use AI tools to create any part of this pull request?

Please select one option and, if yes, briefly describe how AI was used (e.g., code, tests, docs) and which tool(s) you used.

• No — I did not use AI for this contribution.
• Yes — minimal assistance (e.g., IDE autocomplete, small code completions, grammar fixes).
• Yes — substantive assistance (AI-generated non‑trivial portions of code, tests, or documentation).
• Yes — other (please describe): Claude Sonnet 4.6 (GitHub Copilot + crush)

Documentation (please check one with an [x])

• I have updated the documentation, or
• No documentation update is required

How I've tested my work (please select one)

I have verified these changes via:

• Code inspection only, or
• Newly added/modified unit tests, or
• No unit tests, but ran on a real repository, or
• Both unit tests + ran on a real repository

The public repository: JamieTanna-Mend-testing/renovate-iss-41607#1

When skipping checks:

 WARN: Artifact error would be reported due to a pending version in use which hasn't passed Minimum Release Age, but as we're running with minimumReleaseAgeBehaviour=timestamp-optional, proceeding. See debug logs for more in
formation (repository=JamieTanna-Mend-testing/renovate-iss-41607, branch=renovate/boto3-1.x-lockfile)
       "packageFileName": "pyproject.toml",
       "depName": "boto3",
       "expectedVersion": "1.42.55",
       "resolvedVersion": "1.42.59"