[npm] fix failure to attempt parent update if unfixed transitive update is available

[mctofu]

This fixes an issue that prevents Dependabot from trying to update a parent dependency when updating a vulnerable transitive dependency.

Ex: A vulnerability is reported in dependency B for all versions < 2.0.0
We start with:

A (1.0.0, allows B ^1.0.0) -> B (1.0.0, vuln)

To successfully fix this vulnerability we need to update A:

A (1.0.1, allows B ^2.0.0) -> B (2.0.0, fixed)

However, if Dependabot found there was a version B was allowed to update to it would propose that instead:

A (1.0.0, allows B ^1.0.0) -> B (1.0.1, still vuln)

The end result would be the job fails as not possible because it fails the vuln fix check at

dependabot-core/updater/lib/dependabot/updater.rb

Lines 274 to 282 in 8ab4d78

	# Prevent updates that don't end up fixing any security advisories,
	# blocking any updates where dependabot-core updates to a vulnerable
	# version. This happens for npm/yarn subdendencies where Dependabot has no
	# control over the target version. Related issue:
	# https://github.com/github/dependabot-api/issues/905
	if job.security_updates_only? &&
	updated_deps.none? { |d| job.security_fix?(d) }
	return record_security_update_not_possible_error(checker)
	end

This fix adds detection that the update of B to 1.0.1 is still vulnerable and rejects it so we'll keep looking and find the solution that updates A. I've also tweaked the dry-run script to more closely match the updater.

[bdragon]

Nice!

[bdragon]

I think L743-746 could use one more space of indentation.

[mctofu]

thanks! fixed with rubocop in 73b3e51

[bdragon]

👌