chore: set yarn npmMinimalAgeGate (#2022)

## Summary In response to the recent [axios supply chain attack](https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan), we are tightening package management controls to reduce our exposure to malicious or compromised npm packages. **Changes:** - Updated `yarnPath` in `.yarnrc.yml` to point to Yarn 4.13.0 - Updated `packageManager` in `package.json` to reflect Yarn 4.13.0 - Removed old Yarn releases (4.5.1 and 1.22.18) from the `releases/` directory - Added Yarn 4.13.0 to the `releases/` directory - Set `npmMinimalAgeGate: 7` in `.yarnrc.yml` — Yarn will now block installation of any package version published less than 7 days ago, providing a buffer against freshly-injected malicious releases ### How to test locally or on Vercel 1. Pull this branch and run `yarn --version` — confirm it outputs `4.13.0`. 2. Run `yarn install` and verify it completes without errors. 3. Attempt to add a package version published within the last 7 days (e.g. a freshly released patch) and confirm Yarn rejects it with an age gate error. 4. Add a package version older than 7 days and confirm it installs successfully. 5. Confirm the old Yarn release files (`4.5.1`, `1.22.18`) are no longer present in `releases/`. ### References - Blog post: [axios compromised on npm — malicious versions drop remote access trojan](https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan)
2026-04-21 13:37:15 +00:00 · 2026-03-31 12:37:07 -06:00 · 2026-03-31 12:37:07 -06:00 · c4dcfd75e2
commit c4dcfd75e2
parent 6e8ddd3736
7 changed files with 7 additions and 5 deletions
--- a/.yarn/releases/yarn-1.22.18.cjs
+++ b/.yarn/releases/yarn-1.22.18.cjs
--- a/.yarn/releases/yarn-4.13.0.cjs
+++ b/.yarn/releases/yarn-4.13.0.cjs
--- a/.yarn/releases/yarn-4.5.1.cjs
+++ b/.yarn/releases/yarn-4.5.1.cjs
--- a/.yarnrc.yml
+++ b/.yarnrc.yml
@ -1,3 +1,5 @@
 nodeLinker: node-modules

-yarnPath: .yarn/releases/yarn-4.5.1.cjs
+yarnPath: .yarn/releases/yarn-4.13.0.cjs
+
+npmMinimalAgeGate: 7d
--- a/AGENTS.md
+++ b/AGENTS.md
@ -29,7 +29,7 @@ yarn setup          # Install dependencies
 yarn dev            # Start full stack with worktree-isolated ports
 ```

-The project uses **Yarn 4.5.1** workspaces. Docker Compose manages ClickHouse,
+The project uses **Yarn 4.13.0** workspaces. Docker Compose manages ClickHouse,
 MongoDB, and the OTel Collector.

 **This repo is multi-agent friendly.** `yarn dev`, `make dev-int`, and
--- a/package.json
+++ b/package.json
@ -64,7 +64,7 @@
      "prettier --write --ignore-unknown"
    ]
  },
-  "packageManager": "yarn@4.5.1",
+  "packageManager": "yarn@4.13.0",
  "resolutions": {
    "@types/react": "19.0.7",
    "@types/react-dom": "19.0.3",
--- a/yarn.lock
+++ b/yarn.lock
@ -27233,11 +27233,11 @@ __metadata:

 "typescript@patch:typescript@npm%3A^5.9.3#optional!builtin<compat/typescript>":
  version: 5.9.3
-  resolution: "typescript@patch:typescript@npm%3A5.9.3#optional!builtin<compat/typescript>::version=5.9.3&hash=cef18b"
+  resolution: "typescript@patch:typescript@npm%3A5.9.3#optional!builtin<compat/typescript>::version=5.9.3&hash=5786d5"
  bin:
    tsc: bin/tsc
    tsserver: bin/tsserver
-  checksum: 10c0/6f7e53bf0d9702350deeb6f35e08b69cbc8b958c33e0ec77bdc0ad6a6c8e280f3959dcbfde6f5b0848bece57810696489deaaa53d75de3578ff255d168c1efbd
+  checksum: 10c0/ad09fdf7a756814dce65bc60c1657b40d44451346858eea230e10f2e95a289d9183b6e32e5c11e95acc0ccc214b4f36289dcad4bf1886b0adb84d711d336a430
  languageName: node
  linkType: hard