What would be the most feasible way to update these?

This blog provides recommended actions when your project uses a package with a known vulnerability. Our recommendation is to prefer updates to packages “closest” to your direct references.

For example Package A has a dependency on package B, which in turn has a dependency on package C. In this example, we’ll consider that package C version 1.0.0 has a known vulnerability, fixed in version 2.0.0.

Recommendation steps:

1. Try upgrading package A.
2. If that doesn’t resolve the audit warning, then try upgrading package B.
3. If that doesn’t resolve the audit warning, then upgrade C directly.

If you want to upgrade transitive packages, you can do:

1.Add the fixed package version as a direct package reference.

2.Use Central Package Management with the transitive pinning functionality.

What would happen if the 3rd party upgrades the vulnerable package themselves and ive already installed another version?

Updating the top-level package can automatically update the vulnerable transitive package as well. I think it is possible to have two versions of the same NuGet package installed in a project, one is a transitive package another is direct reference. Then it picks the version that satisfies the most constraints.

Docs Referred:

NuGetAudit 2.0: Elevating Security and Trust in Package Management

Auditing package dependencies for security vulnerabilities