NPM security update job doesn't pick minimal version when it's a transitive dependency

[ryanbrandenburg]

In this issue we discovered that NPM's behavior for transitive non-conflicted dependencies (select the highest) can cause Dependabot to behave non-idempotently (if a new version of the package was released).

My topic of discussion is what we should do about that. Personally, my suggestion would be to select the lowest possible version instead of the highest. That would make Dependabot behave idempotently unless someone deletes a package version (and if they're deleting versions we have other problems). However looking at the code the current state is clearly intentional behavior so it would be good to understand the "choose highest" perspective.