Currently if you install modules, userlib files will be added to your /userlib folder in your mendix project. But if you install a newer version of the same module, all the old userlib files will remain, as there is no cleanup mechanism. (jar files will even remain if you delete module)
This is an important issue as it gives big security problems over time when userlibs are outdated. We all saw this happening with Log4J.
It’s really a difficult job to manually clean up the userlib folder, as the titles of the userlib files are often not consistent between versions. Sometimes there is a metafile included which states which module is using which library, but this is also not reliable as its not everytime included.
This means to track down every userlib file, you have to create an empty project and import all (new) modules, to make a list of which jar files are actually needed in you userlib folder. We are running many mendix projects and this is impossible to do, considering the amount of work.
Solution: Mendix should make a database with included userlib files for each seperate module version. This should be quite easy to accomplish, as the modeller already gives a message with the new jar files which are going to be installed when installing a module version. According to this database, the modeller should automatically cleanup old jar files in the userlib folder.