More descriptive PR message when multiple dependencies are fixed in a security update

[Nishnha]

This PR adds a #transitive_multidependency_intro method to provide a more descriptive PR intro when multiple dependencies are updated in a transitive dependency update.

Some caveats:

• Avoids using the transitive multidependency message in lieu of the removed dependency message if any dependency is removed in an update.

• Still uses the old PR message when a single transitive dependency is updated (see https://github.com/dsp-testing/dependabot-reproduce-update-not-possible/pull/66 for an example)

---

An example PR after this change would read as:

Bumps node-forge to 1.3.1 and updates ancestor dependency webpack-dev-server. These dependencies need to be updated together.

Also see the image below:

[Nishnha]

Another heuristic for transitive dependency updates that @mctofu mentioned is whether the dependencies being updated have a mix of top_level? and non top-level dependencies.

Since it is possible to have a transitive dependency update that only updates the transitive dependency, I think we can get away with checking if any of the dependencies being updated is not a top_level? dep

[mctofu]

Looks good! Just had some minor cleanup suggestions.

[Nishnha]

I deployed this but haven't been able to generate a PR that uses the updated copy.

Not sure if it's due to how @dependabot recreate works, but I would expect the recreated PR to use the new the PR message.

Oddly enough, the dry-runner is showing the updated copy when I pass in the exact same job, so maybe this will only work for newly created PRs.

[jeffwidman]

Yeah, from #4652:

However, when Dependabot recreated the PR, it didn't reset the commit title or description. It merely reset the code changes of the commit.

Implementation details in #4652 (comment), hopefully we can fix that at some point...