config: tune concurrency, security scheduling, stability, noise

- Reconcile concurrency limits: prConcurrentLimit 50 -> 10 and
  branchConcurrentLimit 5 -> 10 (every PR needs a branch, so the old 5 capped
  effective PRs and made 50 meaningless).
- Let vulnerability updates bypass the weekday schedule
  (vulnerabilityAlerts.schedule = at any time) so weekend CVE fixes are not
  held until Monday.
- Add minimumReleaseAge = 3 days so a release ages before it is opened or
  automerged (guards against broken/yanked releases).
- Drop redundant assignees (same single user as reviewers) -- noise on every
  PR, including auto-merged ones.

Closes #46
Closes #47
Closes #48
Closes #49

config.js

@@ -8,12 +8,12 @@ module.exports = {
     "extends": ["config:best-practices"],
     "schedule": ["* * * * 1-5"],
     "timezone": "Europe/London",
+    "minimumReleaseAge": "3 days",
     "labels": ["dependencies"],
-    "assignees": ["lyrathorpe"],
     "reviewers": ["lyrathorpe"],
     "prHourlyLimit": 10,
-    "prConcurrentLimit": 50,
-    "branchConcurrentLimit": 5,
+    "prConcurrentLimit": 10,
+    "branchConcurrentLimit": 10,
     "packageRules": [
         {
             "matchUpdateTypes": ["minor", "patch", "pin", "digest"],
@@ -29,6 +29,7 @@ module.exports = {
         "schedule": ["before 4am on monday"]
     },
     "vulnerabilityAlerts": {
-        "enabled": true
+        "enabled": true,
+        "schedule": ["at any time"]
     }
 };