We recently had a discussion regarding managing Beam dependencies. Please see  for the email thread and  for the relevant document.
This discussion resulted in following policies. I believe, these will help keep Beam at a healthy state while allowing human intervention when needed.
(1) Human readable reports on status of Beam dependencies are generated weekly and shared with the Beam community through the dev list.
(2) Beam components should define dependencies and their versions at the top level.
(3) A significantly outdated dependency (identified manually or through tooling) should result in a JIRA that is a blocker for the next release. Release manager may choose to push the blocker to the subsequent release or downgrade from a blocker.
(4) Dependency declarations may identify owners that are responsible for upgrading the respective dependencies.
(5) Dependencies of Java SDK components that may cause issues to other components if leaked should be shaded.
[ ] +1, Approve that we adapt these policies
[ ] -1, Do not approve (please provide specific comments)