Accepting ad outdated dependency on GORM would be OK since there is no security involved in DB structure/querying (SQL injection apart but that's solved already). It would be "just" a consolidated API and "less" performance/type checking maybe? (something that was OK until a couple of years ago, and still IS ok today for most of us). The reason to update all other dependencies is related with a security concern and with the psycological impact of investing on a technology that is not up to date. If we can use an old version of GORM/Hibernate with all other dependencies updated I think it would be a huge step already. What I write are my own opinions from the perspective I see the world, so yes, they can be completely wrong. Nontheless I prefer to share them to discuss.