fix: resolve null domain handling and v13 lock bug fixes

[ankita10119]

Changes

Bug fixes for Lock v13:

• Null domain guard in enterprise connections (src/connection/enterprise.js)
  • matchConnection: added fallback (x.get('domains') || List()) to prevent crash when domains is null/undefined
  • findADConnectionWithoutDomain: same null guard applied for consistency
• HRD screen domain check (src/connection/enterprise/hrd_screen.jsx)
  • Changed domain !== null to domain && domain.trim() so empty string and whitespace-only domains no longer incorrectly render the enterprise active login instructions header
• Authorization error events (src/core/actions.js)
  • Added too_many_attempts to errorCodesThatEmitAuthorizationErrorEvent so the authorization_error event is correctly emitted for this error code
• CordovaAuth0Plugin safe initialization (src/core/web_api/p2_api.js)
  • Guard added: typeof CordovaAuth0Plugin === 'function' before instantiating to prevent runtime errors in non-Cordova environments
• i18n — Added hrd.not_matching_email error key across all 53 locale files

References

Testing

Added src/__tests__/connection/enterprise/matchConnection.test.js covering null domain edge cases

• Updated hrd_screen.test.js and snapshot for the domain trim fix
• Updated i18n.test.js to cover new hrd.not_matching_email key

• This change adds unit test coverage
• This change adds integration test coverage
• This change has been tested on the latest version of the platform/language

Checklist

• I have read the Auth0 general contribution guidelines
• I have read the Auth0 Code of Conduct
• All code quality tools/guidelines have been run/followed
• All relevant assets have been compiled

[semgrepcode-auth0]

Semgrep found 1 ssc-ace67ff4-0843-40f4-a8d3-13e050943589 finding:

• package-lock.json
  • L15684 - Triage

Risk: Affected versions of js-yaml are vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution'). js-yaml is vulnerable to prototype pollution through its YAML merge key (<<) handling. When parsing untrusted YAML with load, loadAll, safeLoad, or safeLoadAll, a crafted document containing a __proto__ key inside a merged mapping can modify the prototype of the resulting object, leading to integrity violations in the application.

Manual Review Advice: A vulnerability from this advisory is reachable if you are using js-yaml on the CLI

Fix: Upgrade this library to at least version 4.1.1 at lock/package-lock.json:15684.

Reference(s): GHSA-mh29-5h37-fv8m, CVE-2025-64718