fix(deps): update dependency node-opcua to v2.167.0

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
node-opcua (source)	2.166.0 → 2.167.0

---

Release Notes

node-opcua/node-opcua (node-opcua)

v2.167.0: 🚀 Release Notes — v2.167.0

Compare Source

node-opcua Release Notes: v2.165.1 → v2.167.0

v2.167.0

✨ Features

• server-config: Accept certificate chain in TrustListClient.addCertificate — enables full chain trust management via the GDS push model [135902c]
• core: Thread ISessionContext through ApplyChanges event chain — allows consumers to identify which session triggered a configuration change [4033f97]

🐛 Bug Fixes

• server: Harden register_server_manager against null/missing values [95b5aa5]
• server: Use explicit length check for certificate chain instead of truthiness guard — prevents edge cases with empty arrays [ef3f04e]
• core: Harden certificate validation and fix Certificate[] migration [d276591]
• core: Resolve tsc --noEmit errors in node-opcua-end2end-test test suite [e34bbb1]

🔧 Refactor

• server-config: Self-contained test certificates — tests no longer depend on external PKI state [13f310f]

---

v2.166.1

🐛 Bug Fixes

• client: Fix "Callback was already called" race condition during connection abort — prevents double-callback crash when a connection is terminated mid-handshake [c487bf5]

🧹 Chores

• Update node-opcua-pki / node-opcua-crypto dependencies [713f852]

---

v2.166.0

🐛 Bug Fixes

• secure-channel: Add TTL eviction to nonce cache — prevents unbounded memory growth on long-lived servers with many reconnections [b82c293]
• server: Add nonce verification to UserNameIdentityToken password extraction — hardens against replay attacks [c6b0573]

🧹 Chores

• Minor fixes [e4c3c87]
• Update packages [6ac3120]

⚠️ Security

• Nonce verification for password tokens [c6b0573]: The server now verifies that the nonce embedded in UserNameIdentityToken matches the nonce issued during CreateSession. This is a security hardening measure that protects against credential replay attacks.

• Nonce cache TTL eviction [b82c293]: Stale entries in the secure-channel nonce cache are now evicted after a configurable TTL, preventing memory exhaustion on servers handling many short-lived client connections.

---

v2.165.2

🧹 Chores

• Update packages — support for OpenSSL > 3.5 [e625c48]

---

Test Fixes (across versions)

• Fix hardcoded namespace index in AddIn instantiation test [25ab1b6]
• Fix chained certificate test to expect success instead of failure [c0f5f35]

Upgrade Notes

[!TIP]
OpenSSL 3.5+ support: v2.165.2+ includes updated node-opcua-pki and node-opcua-crypto packages that are compatible with OpenSSL 3.5+. If you were seeing crypto-related errors on newer Node.js builds, this update resolves them.

[!NOTE]
Certificate chain support: If you use GDS push certificate management, TrustListClient.addCertificate now correctly handles full certificate chains (not just leaf certificates). No API changes required — existing code continues to work.

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.