Why does a PR Check set to 'fail when there is a fix' sometimes also show vulnerabilities without a fix?