How to choose mbedtls version?

I’m developping an embedded security toolbox, running on linux for the moment, that may help developper for IoT. I have choose to integrate mbedtls.
When building, i make a “git clone” then i switch on a choosen tag of mbedtls.
So i worry about how to choose the version, and when do i need to change regarding new CVE’s ?
Second question, i have seen there is a crypto sub-module, is it always consistent with main module in term of version ?
Thanks, Nicolas.