I think libzypp could become smarter and consider the vendor in addition to the version. In other words, either offer a replace, or leave the installed package alone. Other than that, do not create patches for packages which will 100% come from 3rd party repos. This certainly reveals an unrelated issue: the openSUSE.org:openSUSE:Leap:15.4:Update does not provide the sources for 4.4-150400.3.2.1, it does apparently link to 4.4-150400.1.13