It is possible for multiple extensions to require the same package in incompatible versions and for one of those versions to be in MediaWiki-Vendor. This would work fine until the other package expects the code to work a certain way (and doesn't have a test for it) and then all of the sudden it breaks (since the package is not in a version the extension expects).
This is amplified by MediaWiki-Vendor because the guzzlehttp/guzzle version constraint must be manually specified which may become incompatible (over time) with A and B
Instead of maintaining a repo of dependencies. WMF ought to instead use Composer to require the extensions they need. This will let extensions define dependencies without having to manually update MediaWiki-Vendor. This does not mean WMF needs to run Composer in production, they can simply commit the vendor directory in their instance of MediaWiki.
For instance, if you were to require the extension like:
composer require mediawiki/abuse-filter
you would get the abuse filter extension (installed in the extensions folder) as well as all of that extensions dependencies installed in the vendor directory.
WMF could either use a version constraint on the extension, or use dev#master which will give them the latest master of that extension.
This follow's Composer's best-practices and removes the need to manually merge and update dependencies in MediaWiki-Vendor