If you want to learn more about downsides of dependencies, you can read this blog post about Ruby dependencies and this one about Node.
Monkey patches are often used to change the behavior of the code you don’t own.
You can try the new Rails version using the published guides and report any problem you may find on Rails issue tracker.
I think it is an important question you may need to answer to your team members.
My favorite reasons are: security, bug fixes, and features.