## Summary
In response to the recent [axios supply chain attack](https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan), we are tightening package management controls to reduce our exposure to malicious or compromised npm packages.
**Changes:**
- Updated `yarnPath` in `.yarnrc.yml` to point to Yarn 4.13.0
- Updated `packageManager` in `package.json` to reflect Yarn 4.13.0
- Removed old Yarn releases (4.5.1 and 1.22.18) from the `releases/` directory
- Added Yarn 4.13.0 to the `releases/` directory
- Set `npmMinimalAgeGate: 7` in `.yarnrc.yml` — Yarn will now block installation of any package version published less than 7 days ago, providing a buffer against freshly-injected malicious releases
### How to test locally or on Vercel
1. Pull this branch and run `yarn --version` — confirm it outputs `4.13.0`.
2. Run `yarn install` and verify it completes without errors.
3. Attempt to add a package version published within the last 7 days (e.g. a freshly released patch) and confirm Yarn rejects it with an age gate error.
4. Add a package version older than 7 days and confirm it installs successfully.
5. Confirm the old Yarn release files (`4.5.1`, `1.22.18`) are no longer present in `releases/`.
### References
- Blog post: [axios compromised on npm — malicious versions drop remote access trojan](https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan)
