If you are a Gaia hacker, you have two choices when using Bower controlled packages: global or local.
You can use shared/
just like any other Gaia shared piece of code. This means you always get the latest version of that package, this means that you run the risk of code changing, you're not depending on a locked version.
Updating packages in Gaia should be done/reviewed by the package owner. This is because they will have the best knowledge as to which apps are likely to be affected by the update, and whether any app changes are required to avoid breakage. The update steps, like all Bower controlled shared dependencies, are as follows: