Adding a dependency is a legal risk. For 2, if you are unsure of the legal implications, contact our general council through the maintainers/your team lead.
All deps must be in lock files.
Forks with PRs to upstream are welcomed, forks without PRs to upstream are not.
Other things are checked by CI jobs or decided per case.