diff --git a/package-lock.json b/package-lock.json
index 98b3fbc0f..542689be2 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -10,14 +10,14 @@
       "license": "MIT",
       "dependencies": {
         "auth0-js": "^9.29.0",
-        "auth0-password-policies": "^1.0.2",
+        "auth0-password-policies": "^3.1.0",
         "blueimp-md5": "^2.19.0",
         "classnames": "^2.3.2",
         "dompurify": "^3.2.5",
         "events": "^3.3.0",
         "immutable": "^3.7.6",
         "jsonp": "^0.2.1",
-        "password-sheriff": "^1.1.1",
+        "password-sheriff": "^2.0.0",
         "prop-types": "^15.8.0",
         "qs": "^6.14.1",
         "react": "^18.2.0",
@@ -7589,11 +7589,12 @@
       "integrity": "sha512-jk1+QP6ZJqyOiuEI9AEWQfju/nB2Pw466kbA0LEZljHwKeMgd9WrAEgEGxjPDD2+TNbbb37rTyhEfrCXfuKXnA=="
     },
     "node_modules/auth0-password-policies": {
-      "version": "1.0.2",
-      "resolved": "https://registry.npmjs.org/auth0-password-policies/-/auth0-password-policies-1.0.2.tgz",
-      "integrity": "sha512-ZshousKt+Wfv/iIBS3oQfOsH8NBF9IbL15qd2Qur8YfiQrRjrAT0T7VaesnrytYEHEXkUbHcdxWEAlyr16w20A==",
+      "version": "3.1.0",
+      "resolved": "https://registry.npmjs.org/auth0-password-policies/-/auth0-password-policies-3.1.0.tgz",
+      "integrity": "sha512-2HDXLFh0SjUXknIu5z+FiHjIkdsEADJr4iSQmBr9namek7mio7A77TRphLKi0h7eIlU1m/X9QaSOB4neuuSPKg==",
+      "license": "UNLICENSED",
       "dependencies": {
-        "password-sheriff": "^1.1.0"
+        "password-sheriff": "^2.0.0"
       }
     },
     "node_modules/autoprefixer": {
@@ -19216,9 +19217,9 @@
       }
     },
     "node_modules/password-sheriff": {
-      "version": "1.3.1",
-      "resolved": "https://registry.npmjs.org/password-sheriff/-/password-sheriff-1.3.1.tgz",
-      "integrity": "sha512-sD3NLKdjGZHQn1JPPGUeWZsh0DPRHlfReW4Y7g8V20+pgU2/rp/4JJM+Gm53FlakKgDCotVU/CL0imIShTvYhA==",
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/password-sheriff/-/password-sheriff-2.0.0.tgz",
+      "integrity": "sha512-wt/vYZVdrROLi6LWBBsau8lM0V24KTvtzN62Iunh+C6dV+5q8Jn1HccOBO6dmm8+4IuM7plSUyD2ZV6ykSIj6g==",
       "license": "MIT"
     },
     "node_modules/path-browserify": {
diff --git a/package.json b/package.json
index 43f773bb9..d19bef874 100644
--- a/package.json
+++ b/package.json
@@ -119,14 +119,14 @@
   },
   "dependencies": {
     "auth0-js": "^9.29.0",
-    "auth0-password-policies": "^1.0.2",
+    "auth0-password-policies": "^3.1.0",
     "blueimp-md5": "^2.19.0",
     "classnames": "^2.3.2",
     "dompurify": "^3.2.5",
     "events": "^3.3.0",
     "immutable": "^3.7.6",
     "jsonp": "^0.2.1",
-    "password-sheriff": "^1.1.1",
+    "password-sheriff": "^2.0.0",
     "prop-types": "^15.8.0",
     "qs": "^6.14.1",
     "react": "^18.2.0",
diff --git a/webpack.config.js b/webpack.config.js
index 03a7fd360..5c7049385 100644
--- a/webpack.config.js
+++ b/webpack.config.js
@@ -57,6 +57,20 @@ module.exports = {
   },
   module: {
     rules: [
+      {
+        // auth0-password-policies uses ES2020+ syntax (optional chaining) that
+        // must be transpiled for the IE 11 / ES2017 build target. Babel's
+        // .babelrc is file-relative and does not apply across package
+        // boundaries, so presets are passed explicitly here.
+        test: /\.js$/,
+        include: path.join(__dirname, 'node_modules', 'auth0-password-policies'),
+        loader: 'babel-loader',
+        options: {
+          presets: [['@babel/preset-env', { useBuiltIns: 'entry', corejs: '3.26.1' }]],
+          configFile: false,
+          babelrc: false
+        }
+      },
       {
         test: /\.jsx?$/,
         loader: 'babel-loader',