dotnet update package --vulnerable (Audit fix)

[nkolev92]

NuGet Product(s) Involved

Visual Studio Package Management UI, dotnet.exe

The Elevator Pitch

Provide an automated way for fixing project graphs with vulnerabilities in them.

Frequently when transitive packages have vulnerabilities, updating the pasckages becomes a challenge.
Should I update the top level package? Update the vulnerable package only?
Is that enough?
Does that bring new vulnerabilities?

Doing this perfectly will be challenging, but something is better than nothing :D

Additional Context and Details

Mentioned in #11549 and part of the #8087 epic.

[Frulfump]

When a package is promoted to a direct dependency to fix a vulnerability could the tool automatically add a comment that explains why it was added. Otherwise these dependencies will be left there forever when they might no longer be required. Ideally some automatic way of unpinning transitives that are no longer required would be really nice.