I gave this some fresh thought and I now suspect the root cause lies within the modsecurity-crs package, which ironically is not mentioned anywhere in the error messages. This may provide some important missing context.
Once modsecurity was disabled and I was successfully able to reinstall all the packages, I had to remove the following two offending lines from /usr/share/modsecurity-crs/owasp-crs.load before nginx would start: IncludeOptional /etc/modsecurity/crs/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf IncludeOptional /etc/modsecurity/crs/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf I now suspect this issue may have cascaded and caused the error messages which blocked the package upgrades.
