The "ndext" directory of Domino contains more and more open source and internal libraries that are automatically added to the JVM classpath of web apps (and probably agents as well), e.g.:
activation.jar => javax.activation version 1.1
BlueJavaHtmlSanitizer.jar => OWASP HTML sanitizer version 20180219.1
domino-acf-policies.jar => OWASP ACF policies for Domino
dlt.jar => com.ibm.dltj, version nightlybuild_DLT7113_HF_2010_05_17_Hursley
dservlet.jar => lotus.domino.server.*
guava.jar => Google Guava version 19.0.0
ibmdirectoryservices.jar => com.ibm.directoryservices.ldap
icu4j.jar => ICU4J version 4.0
jsdk.jar => javax.servlet.* API, version probably 2.4
lmgfilter.jar => com.ibm.spamguru
mail.jar => javax.mail.* API 1.4
RMEval.jar => com.ibm.amw
stcommsrvrtk.jar => Sametime Java classes version SAMETIME8.0.2_20081209.0208_WIN32AIXSOLLIN_WESTFORD
As a developer, the libs that hurt the most are the old versions of Google Guava, ICU4J and the OWASP HTML sanitizer.
activation.jar even is a duplicate, because the JDK 1.8 rt.jar archive already contains this API.
Having them in the JDK system classpath by default means we cannot use newer versions in our applications (except for some very experimental Java classloader tricks which also require higher Java privileges than standard XPages web apps have).
Please clean this directory up or find a different implementation approach that lets us use newer lib versions in our apps.
Karsten Lehmann, Mindoo GmbH