Clarify + improve --update param

[ctcjab]

1. Is it intended to accept an optional version constraint as well as a package name? Currently passing a version constraint (--update=foo==X.Y.Z) is not rejected, but it seems to be silently ignored (foo’s latest version is still resolved).
2. Is it intended to accept any (transitive) dependency in the lockfile, or only one of the direct dependencies declared in one of the input files? Passing a transitive dependency (such as ca-certificates) is not rejected, but causes many more packages to be updated than expected. Is this just garbage in garbage out, or a larger bug?
3. Document under what circumstances unrelated packages are expected to be updated as a side effect (eg any configured via aggressive_update_packages? Any others?)