Dependency List sorting bug

Problem to solve

During the Sec Offsite, we had a user journey bingo where groups of 2-3 people were asked to complete a number of tasks related to Sec section features. One of the problems identified by several groups was that the Dependency List's default sorting by severity was broken. The expectation was to see the components with the highest number of Criticals at the top, followed by those with Criticals and Highs, followed by Highs, etc. Not only does the sorting of the components appear to be broken, but there doesn't appear to be any logic for the order of the vulnerabilities shown within a component.

Examples:

A component with multiple Highs (rack 3.1.8) should be listed before a component with a single High (kind-of, dns-packet, and json):

2. Within the list of vulnerabilities, the order should be descending by severity (criticals grouped at the top, followed by Highs, etc):

+Nit pick: We should remove the line under the total vulnerability badge in the right column when expanded.

Proposal

When the Dependency List is in the default sorting state (by Severity):

Sort components by the highest numbers of Criticals at the top, followed by Highs, etc.

Example:
- Component Y: 5 Criticals and 1 High
- Component Q: 5 Criticals
- Component D: 4 Highs and 1 Medium
- Component E: 4 Highs and 2 Unknown
- Component A: 3 Medium
Sort the vulnerabilities by severity under the component.

Example:
- Critical
- Critical
- High
- Medium
- Unknown

Edited Nov 12, 2025 by Becka Lippert