Bump lodash and node-opcua in /Demos/UA to GraphQL

[dependabot]

Removes lodash. It's no longer used after updating ancestor dependency node-opcua. These dependencies need to be updated together.

Removes lodash

Updates node-opcua from 2.18.0 to 2.168.0

Release notes

Sourced from node-opcua's releases.

v2.168.0

Release Notes - v2.168.0

TL;DR:

Version 2.168.0 is a stability and performance release. It fixes a infinite recursion bug in response handling (#1490), fully migrates core packages from async/lodash to native modern JavaScript patterns, and introduces a more robust typed event system and certificate management architecture.

---

✨Features

• Server: Added channelSecured event for post-handshake notifications [af7ef3419].

🐛Bug Fixes

• Core: Prevented infinite recursion in send_response when chunking fails (#1490) [51ef025bc].
• Secure Channel: Implemented fallback to the latest valid token when a request's token expires [ae65dea32].
• Server: Deferred channel shutdown until after the ApplyChanges response is sent [8484b9853].
• Address Space: Fixed address-space-base imports and applied security hardening [d636f0cc3].
• Maintenance: Resolved various TypeScript and Biome violations across the codebase [16302c4be, 45a14062b, 887a42d3f, 1372b5cbb].
• Tests: Hardened server shutdown tests [c834243a0], added TokenStack fallback coverage [823f38d5c], and increased T73 secure channel renewal token lifetime to reduce flakiness [a13bbb014].

🔧 Refactoring & Improvements

• Performance: Replaced async library [3269940ac] and lodash [b99520d09] with native async/await, Promises, and targeted alternatives.
• Type Safety: Unified certificate chain providers [49b8736a4] and implemented typed EventEmitter<T> patterns for server events [1f7040e4b].
• Structure: Split conformance testing into focused modules [e4c5eb978] and cleaned up the address space conformance package [168a8f624].
• Transport: Enhanced type safety and removed unsafe patterns in the transport layer [785d89fa1].
• Security: Simplified push certificate management [dab64e9f5].
• Debugability: Internal channel callbacks are now hidden from the debugger for a cleaner debugging experience [e0d2b40a9].
• Testing Infrastructure: Hardened leak detector for Mocha 12 and tsx [c7170e507].

🧹 Chores

• Updated Biome formatting [465eb93a5] and fixed misused Mocha timeout configurations [eac92cc02].

---

👬🏽 Contributors

• Special thanks to @​RatishKashyap of #1490 for their detailed report

What's Changed

• Refactor server by @​erossignon in node-opcua/node-opcua#1491 Full Changelog: node-opcua/node-opcua@v2.167.0...v2.168.0

🚀 Release Notes — v2.167.0

node-opcua Release Notes: v2.165.1 → v2.167.0

v2.167.0

... (truncated)

Commits

• 653b6d6 v2.168.0
• eac92cc chore: fix Mocha.Suite.settimeout misused
• 1372b5c fix: misc cleanup across address-space, secure-channel and server
• 785d89f refactor(transport): cleanup type safety and remove unsafe patterns
• d636f0c fix: address-space-base import + security hardening
• 887a42d fix: misc fixes for mocha 12 + biome + flaky T73
• a13bbb0 fix(e2e): increase T73 secure channel renewal token
• c7170e5 refactor(leak-detector): harden for mocha 12 + tsx
• e4c5eb9 refactor: split conformance testing into focused modules
• 168a8f6 refactor: clean up address_space_for_conformance_testing
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for node-opcua since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.