diff --git a/src/filter.ts b/src/filter.ts
index 9599d04e0..6921c204d 100644
--- a/src/filter.ts
+++ b/src/filter.ts
@@ -1,5 +1,13 @@
 import {Changes, Severity, SEVERITIES, Scope} from './schemas'
 
+/**
+ * Filters changes by a severity level. Only vulnerable
+ * dependencies will be returned.
+ *
+ * @param severity - The severity level to filter by.
+ * @param changes - The array of changes to filter.
+ * @returns The filtered array of changes that match the specified severity level and have vulnerabilities.
+ */
 export function filterChangesBySeverity(
   severity: Severity,
   changes: Changes
@@ -31,7 +39,14 @@ export function filterChangesBySeverity(
   filteredChanges = filteredChanges.filter(
     change => change.vulnerabilities.length > 0
   )
-  return filteredChanges
+
+  // only report vulnerability additions
+  return filteredChanges.filter(
+    change =>
+      change.change_type === 'added' &&
+      change.vulnerabilities !== undefined &&
+      change.vulnerabilities.length > 0
+  )
 }
 
 export function filterChangesByScopes(
diff --git a/src/main.ts b/src/main.ts
index 750d31c33..9f11f6ead 100644
--- a/src/main.ts
+++ b/src/main.ts
@@ -80,21 +80,17 @@ async function run(): Promise<void> {
       return
     }
 
-    const minSeverity = config.fail_on_severity
     const scopedChanges = filterChangesByScopes(config.fail_on_scopes, changes)
+
     const filteredChanges = filterAllowedAdvisories(
       config.allow_ghsas,
       scopedChanges
     )
 
+    const minSeverity = config.fail_on_severity
     const vulnerableChanges = filterChangesBySeverity(
       minSeverity,
       filteredChanges
-    ).filter(
-      change =>
-        change.change_type === 'added' &&
-        change.vulnerabilities !== undefined &&
-        change.vulnerabilities.length > 0
     )
 
     const invalidLicenseChanges = await getInvalidLicenseChanges(