security: pin axios to 1.13.6 (supply chain attack CVE in 1.14.1)

[araa47]

URGENT: axios 1.14.1 contains a supply chain attack. Pinning to 1.13.6 to prevent npm from auto-resolving to the malicious version.

Change: package.json: ^1.7.9 → 1.13.6

See https://x.com/wesbos/status/2038809936314892572 for context.