If an advisory has a patched version, or a crate is yanked, we emit a "... (try cargo update -p <package_name>)", the problem is that we don't actually do any checking to see if performing that action will fix the issue.

• A version can be yanked without a semver compatible upgrade (or downgrade) (eg. Allowing a yanked crate #579)
• The patched version in the advisory could be unselectable due to the current version constraints in the dependency graph

We already have the registry metadata for every crate in the graph, so it's possible to put in a little more effort here and either show that message if could fix the issue, or else give a more detailed message about why a simple update won't actually work.