Consider any of the following as possible reason for this:
1. The notification or the PR was opened a while ago and since then the package.json has been updated.
2. The repository has a lockfile that is out of date and shows older versions than those that appear in package.json. Attempt to re-lock it using npm install or yarn install.
3. Verify that the Snyk project you are looking at is indeed the one being monitored. When you add a project from the snyk cli (using snyk monitor), and also create an SCM integration for it (such as GitHub), then you will see two different Snyk projects showing in the UI.