Yeah, explicitly specifying the patch version worked. The summarized answer is wrong – my package.json was indeed fixed without a problem.
Also, FYI, the Fix with button worked this morning after a hard refresh. I suspect the issue is that I still have a long-standing issue where another run-time dependency issues in the Next.js preview environment was showing up. Perhaps that was somehow blocking the Next.js security patch “Fix with” button from being clickable. But now it is.