Hello,

I would like to flag an unexpected behavior in the way Dependency Review action fails on a severity level. The action does not honor the configuration fail-on-severity if there are other "non-ignored" GHSA's with the severity lower than the one set in fail-on-severity.

For example, with the config option set fail-on-severity: high, the action fails even if the GHSA is added to allow-ghsas configuration. This behavior occurs when there is a moderate severity vulnerability in addition to the high severity vulnerability in the introduced dependency. The config fail-on-severity: high, is supposed to fail if dependencies contain a high severity vulnerability. In practice the action seems to fail even if it contains ignored high GHSA's and in addition, the dependency also contains GHSA's with severity lower than the one configured in fail-on-severity. The summary/debug logs still show the "ignored" GHSA as the cause of failure

Here are PR's in a public repository that reproduces this behavior:
virangdoshi/juice-shop#30 - Configured to fail on high. A high criticality "ignored" vulnerability with multiple "medium" criticality vulnerability

virangdoshi/juice-shop#26 - Configured to fail on critical. A ctitical "ignored" vulnerability with multiple "high" criticality vulnerability

Any help or clarification on this issue would be highly appreciated! Thanks in advance