chore: add release note for uv exclude-newer supply chain hardening

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: julian-risch

releasenotes/notes/supply-chain-exclude-newer-7ef5f4df420f1029.yaml

@@ -0,0 +1,9 @@
+---
+security:
+  - |
+    Haystack's uv configuration now excludes packages published within the last
+    24 hours when resolving dependencies, reducing exposure to supply chain
+    attacks via freshly compromised packages. If you need to install a dependency
+    that was published less than 24 hours ago, you can override this by running
+    ``uv sync --exclude-newer="0 days"`` or
+    ``uv pip install <package> --exclude-newer="0 days"``.