fix(security): backport security dependency fixes to v13

[ankita10119]

Summary

Security-focused backport from master to the v13 (IE11-compatible) branch.
All changes preserve ES5 compatibility and have been verified with es-check es5 and tested in IE11.

Changes

Dependency security fixes

• qs → ^6.15.2 - addresses prototype pollution CVE (SNYK-JS-QS-16721866)
• validator → ^13.15.35 - ReDoS and input validation fixes
• password-sheriff pinned to 1.1.1 - v1.3.1 introduced ES6 shorthand
  syntax that breaks the IE11/ES5 bundle; pinned to last ES5-safe version
• auth0-js pinned to 9.28.0 - fixes SNYK-JS-AUTH0JS-16438973;
  cannot upgrade beyond 9.28.0 because 9.29.0+ pulls in superagent@10.x which calls new Proxy() at runtime — a global IE11 does not support
• fsevents → ^2.3.3 added to optionalDependencies - addresses SEC-2161; declared optional so Linux/Windows (including CI) skip it silently
• @auth0/component-cdn-uploader → ^3.0.2 - addresses GHSA-j965
  by dropping the transitive aws-sdk@2.x dependency (devDependency only, not in the Lock bundle)

CI fix

• scripts/strip-lock-resolved.js backported from master - strips JFrog private registry resolved URLs from package-lock.json before commits, fixing E401 failures on npm ci in GitHub Actions

Snyk policy

• .snyk updated with suppressions for auth0-js (IE11/Proxy blocker) and all outstanding dompurify CVEs (DOMPurify v3 dropped IE11 support; v13 must stay on v2)

Breaking change (also in master)

• Removed deprecated social strategies: Yammer, RenRen, MiiCard

References

Testing

• es-check es5 'build/*.js' - passes, no ES6+ syntax in bundle
• new Proxy() - confirmed absent from build/lock.min.js
• Verified in IE11 browser - Lock widget renders and functions correctly
• All 69 Jest unit test suites pass

• This change adds unit test coverage
• This change adds integration test coverage
• This change has been tested on the latest version of the platform/language

Checklist

• I have read the Auth0 general contribution guidelines
• I have read the Auth0 Code of Conduct
• All code quality tools/guidelines have been run/followed
• All relevant assets have been compiled