Document how dependencies are managed / updated

[MylesBorins]

In #4765 an individual asked why a dependency was not being included as a submodule

https://github.com/nodejs/node/pull/4765/files#r50186199

Afaik we do not have the management strategy for dependencies documented anywhere.

Here is my response.

Currently for dependencies such as v8, libuv, or npm we take version updates as a single commit updating the state of the current directory, generally from a collaborator of the project we are downstream from. In between large updates we will sometimes backport changes as individual patch's.

Where should something like this live?
How specific should it be?
Should it be documented on a per vendor basis?
Should this be a standard that vendors adhere to?

edit: the last two points may be a bit out of scope for this issue, but I am concerned about how specific this should be if it is considered authoratative

[Qard]

I imagine this sort of thing would live in the collaborator guide. It could also be part of the internals docs I started, when that gets migrated into nodejs/node.