chore: add dependencies upgrade policy to readme (#39163)

* chore: add dependencies upgrade policy to readme

as per wg-releases july 19 meeting 

https://docs.google.com/document/d/1XWdD4uAu9m8Gcpiw1j5fLwwZ_hU4rce9JyTpuKU6uM8/edit?pli=1

* Update CONTRIBUTING.md

Co-authored-by: David Sanders <[email protected]>

---------

Co-authored-by: John Kleinschmidt <[email protected]>
Co-authored-by: David Sanders <[email protected]>

CONTRIBUTING.md

@@ -60,6 +60,10 @@ dependencies, and tools contained in the `electron/electron` repository.
   * [Step 11: Landing](https://electronjs.org/docs/development/pull-requests#step-11-landing)
   * [Continuous Integration Testing](https://electronjs.org/docs/development/pull-requests#continuous-integration-testing)
 
+### Dependencies Upgrades Policy
+
+Dependencies in Electron's `package.json` or `yarn.lock` files should only be altered by maintainers. For security reasons, we will not accept PRs that alter our `package.json` or `yarn.lock` files. We invite contributors to make requests updating these files in our issue tracker. If the change is significantly complicated, draft PRs are welcome, with the understanding that these PRs will be closed in favor of a duplicate PR submitted by an Electron maintainer.
+
 ## Style Guides
 
 See [Coding Style](https://electronjs.org/docs/development/coding-style) for information about which standards Electron adheres to in different parts of its codebase.