NPM security update job doesn't pick minimal version when it's a transitive dependency

[ryanbrandenburg]

This line causes Dependabot-Core to choose the highest applicable version for transitive dependencies in NPM which can lead to weird behavior. Take this example repo and run it against this job:

job:
   dependencies:
   - cross-spawn
   security-advisories:
   - dependency-name: cross-spawn
     affected-versions:
     - '>= 7.0.0, < 7.0.5'
     - '>= 0, < 6.0.6'
   existing-pull-requests:
   - - dependency-name: cross-spawn
       dependency-version: 7.0.5
   security-updates-only: true
   updating-a-pull-request: true
   commit-message-options:
     prefix: '[SECURITY] '
   experiments:
     lead_security_dependency: true
   source:
     directories:
     - /
     provider: github
     repo: ryanbrandenburg/crossspawn
     branch: main
   package-manager: npm_and_yarn

Which is modeled off a real scenario. The existing PR (with version 7.0.5) is not getting rebased because we try to create a new one instead (due to this check failing). Of particular note to this scenerio is that cross-spawn 7.0.6 was published after the existing PR was created.

[ryanbrandenburg]

@abdulapopoola I created a discussion for this #11160. Let me know if there's additional context that would be good on there.