We received a bug report where the CrowdSec plugin causes a fatal error when another plugin (MainWP Google Analytics Extension v6.0) bundles a different version of the same Symfony/PSR libraries:
Fatal error: Declaration of Symfony\Component\Cache\CacheItem::get() must be compatible
with Psr\Cache\CacheItemInterface::get(): mixed
Root cause
WordPress does not use Composer at the application level. Each plugin ships its own vendor/ directory with its own dependencies. There is no global dependency resolution across plugins.
When two plugins bundle the same library at different versions (here psr/cache v1.0 vs v3.0), PHP loads whichever class gets autoloaded first. The second plugin then gets an incompatible version, resulting in a fatal error.
This is a known limitation of the WordPress ecosystem and can affect any plugin that bundles common PHP libraries (Symfony, PSR interfaces, Monolog, Guzzle, etc.).
Proposed solution
Use PHP-Scoper to prefix all vendor namespaces with a unique prefix (e.g. CrowdSec\Vendor\), so our bundled classes never collide with those from other plugins.
This is the approach used by major WordPress plugins such as Yoast SEO and Google Site Kit.
We received a bug report where the CrowdSec plugin causes a fatal error when another plugin (MainWP Google Analytics Extension v6.0) bundles a different version of the same Symfony/PSR libraries:
Root cause
WordPress does not use Composer at the application level. Each plugin ships its own
vendor/directory with its own dependencies. There is no global dependency resolution across plugins.When two plugins bundle the same library at different versions (here
psr/cachev1.0 vs v3.0), PHP loads whichever class gets autoloaded first. The second plugin then gets an incompatible version, resulting in a fatal error.This is a known limitation of the WordPress ecosystem and can affect any plugin that bundles common PHP libraries (Symfony, PSR interfaces, Monolog, Guzzle, etc.).
Proposed solution
Use PHP-Scoper to prefix all vendor namespaces with a unique prefix (e.g.
CrowdSec\Vendor\), so our bundled classes never collide with those from other plugins.This is the approach used by major WordPress plugins such as Yoast SEO and Google Site Kit.