random_bytes() is only for PHP 7 right? SecureRandom also is a good choice.
IMHO, a better way could be to create an interface (let say RandomStringGenerator) and modify the libary to rely on this interface.Then let developpers decide the generator they want to use.
If no generator is set, the default one is used.

Then I would recommend on using paragonie/random_compat

IMO, the right way is to use random_bytes and to use paragonie/random_compat for PHP 5 (this is what Symfony does now. SecureRandom is deprecated).

There is no point allowing developers to switch to a less secure generator IMO.

Makes sense, the only downside is that you can’t mock out random numbers anymore easily.