Skip to content

Bump pmd from 7.21.0 to 7.22.0#312

Open
dependabot[bot] wants to merge 1 commit intomasterfrom
dependabot/gradle/pmd-7.22.0
Open

Bump pmd from 7.21.0 to 7.22.0#312
dependabot[bot] wants to merge 1 commit intomasterfrom
dependabot/gradle/pmd-7.22.0

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Feb 27, 2026

Bumps pmd from 7.21.0 to 7.22.0.
Updates net.sourceforge.pmd:pmd-core from 7.21.0 to 7.22.0

Release notes

Sourced from net.sourceforge.pmd:pmd-core's releases.

PMD 7.22.0 (27-February-2026)

27-February-2026 - 7.22.0

The PMD team is pleased to announce PMD 7.22.0.

This is a minor release.

Table Of Contents

🚀️ New and noteworthy

Security fixes

  • This release fixes a stored XSS vulnerability in VBHTMLRenderer and YAHTMLRenderer via unescaped violation messages.
    Affects CI/CD pipelines that run PMD with --format vbhtml or --format yahtml on untrusted source code (e.g. pull requests from external contributors) and expose the HTML report as a build artifact. JavaScript executes in the browser context of anyone who opens the report.
    Note: The default html format is not affected by unescaped violation messages, but a similar problem existed with suppressed violation markers.
    If you use these reports, it is recommended to upgrade PMD.
    Reported by Smaran Chand (@​smaranchand).

🌟️ New and Changed Rules

New Rules

  • The new Java rule UnnecessaryInterfaceDeclaration detects classes that implement interfaces that are already implemented by its superclass, and interfaces that extend other interfaces already declared by their superinterfaces.
    These declarations are redundant and can be removed to simplify the code.

Changed Rules

  • The rule CloseResource introduces a new property, allowedResourceMethodPatterns, which lets you specify method invocation patterns whose return values are resources managed externally. This is useful for ignoring managed resources - for example, Reader/Writer instances obtained from HttpServletRequest/HttpServletResponse - because the servlet container, not application code, is responsible for closing them. By default, the rule ignores InputStream/OutputStream/Reader/Writer resources returned by methods on (Http)ServletRequest and (Http)ServletResponse

... (truncated)

Commits
  • 7f74d77 [release] prepare release pmd_releases/7.22.0
  • 1d1d51d Prepare pmd release 7.22.0
  • f150d3d Update security.md (refs #6475)
  • 5523b33 Update contributors for 7.22.0
  • c140c0e [core] Fix stored XSS in VBHTMLRenderer and YAHTMLRenderer (#6475)
  • 96598aa [core] Fix stored XSS in VBHTMLRenderer and YAHTMLRenderer
  • 0f84b4d chore(deps): bump faraday from 2.13.3 to 2.14.1 (#6474)
  • 0304cfc chore(deps): bump nokogiri to 1.19.1 (#6473)
  • 5d5f969 [core] Fix BaseAntlrTerminalNode getTokenKind to return type instead of index...
  • 41e6b68 [doc] Update release notes (#6471, #6472)
  • Additional commits viewable in compare view

Updates net.sourceforge.pmd:pmd-java from 7.21.0 to 7.22.0

Release notes

Sourced from net.sourceforge.pmd:pmd-java's releases.

PMD 7.22.0 (27-February-2026)

27-February-2026 - 7.22.0

The PMD team is pleased to announce PMD 7.22.0.

This is a minor release.

Table Of Contents

🚀️ New and noteworthy

Security fixes

  • This release fixes a stored XSS vulnerability in VBHTMLRenderer and YAHTMLRenderer via unescaped violation messages.
    Affects CI/CD pipelines that run PMD with --format vbhtml or --format yahtml on untrusted source code (e.g. pull requests from external contributors) and expose the HTML report as a build artifact. JavaScript executes in the browser context of anyone who opens the report.
    Note: The default html format is not affected by unescaped violation messages, but a similar problem existed with suppressed violation markers.
    If you use these reports, it is recommended to upgrade PMD.
    Reported by Smaran Chand (@​smaranchand).

🌟️ New and Changed Rules

New Rules

  • The new Java rule UnnecessaryInterfaceDeclaration detects classes that implement interfaces that are already implemented by its superclass, and interfaces that extend other interfaces already declared by their superinterfaces.
    These declarations are redundant and can be removed to simplify the code.

Changed Rules

  • The rule CloseResource introduces a new property, allowedResourceMethodPatterns, which lets you specify method invocation patterns whose return values are resources managed externally. This is useful for ignoring managed resources - for example, Reader/Writer instances obtained from HttpServletRequest/HttpServletResponse - because the servlet container, not application code, is responsible for closing them. By default, the rule ignores InputStream/OutputStream/Reader/Writer resources returned by methods on (Http)ServletRequest and (Http)ServletResponse

... (truncated)

Commits
  • 7f74d77 [release] prepare release pmd_releases/7.22.0
  • 1d1d51d Prepare pmd release 7.22.0
  • f150d3d Update security.md (refs #6475)
  • 5523b33 Update contributors for 7.22.0
  • c140c0e [core] Fix stored XSS in VBHTMLRenderer and YAHTMLRenderer (#6475)
  • 96598aa [core] Fix stored XSS in VBHTMLRenderer and YAHTMLRenderer
  • 0f84b4d chore(deps): bump faraday from 2.13.3 to 2.14.1 (#6474)
  • 0304cfc chore(deps): bump nokogiri to 1.19.1 (#6473)
  • 5d5f969 [core] Fix BaseAntlrTerminalNode getTokenKind to return type instead of index...
  • 41e6b68 [doc] Update release notes (#6471, #6472)
  • Additional commits viewable in compare view

Updates net.sourceforge.pmd:pmd-kotlin from 7.21.0 to 7.22.0

Release notes

Sourced from net.sourceforge.pmd:pmd-kotlin's releases.

PMD 7.22.0 (27-February-2026)

27-February-2026 - 7.22.0

The PMD team is pleased to announce PMD 7.22.0.

This is a minor release.

Table Of Contents

🚀️ New and noteworthy

Security fixes

  • This release fixes a stored XSS vulnerability in VBHTMLRenderer and YAHTMLRenderer via unescaped violation messages.
    Affects CI/CD pipelines that run PMD with --format vbhtml or --format yahtml on untrusted source code (e.g. pull requests from external contributors) and expose the HTML report as a build artifact. JavaScript executes in the browser context of anyone who opens the report.
    Note: The default html format is not affected by unescaped violation messages, but a similar problem existed with suppressed violation markers.
    If you use these reports, it is recommended to upgrade PMD.
    Reported by Smaran Chand (@​smaranchand).

🌟️ New and Changed Rules

New Rules

  • The new Java rule UnnecessaryInterfaceDeclaration detects classes that implement interfaces that are already implemented by its superclass, and interfaces that extend other interfaces already declared by their superinterfaces.
    These declarations are redundant and can be removed to simplify the code.

Changed Rules

  • The rule CloseResource introduces a new property, allowedResourceMethodPatterns, which lets you specify method invocation patterns whose return values are resources managed externally. This is useful for ignoring managed resources - for example, Reader/Writer instances obtained from HttpServletRequest/HttpServletResponse - because the servlet container, not application code, is responsible for closing them. By default, the rule ignores InputStream/OutputStream/Reader/Writer resources returned by methods on (Http)ServletRequest and (Http)ServletResponse

... (truncated)

Commits
  • 7f74d77 [release] prepare release pmd_releases/7.22.0
  • 1d1d51d Prepare pmd release 7.22.0
  • f150d3d Update security.md (refs #6475)
  • 5523b33 Update contributors for 7.22.0
  • c140c0e [core] Fix stored XSS in VBHTMLRenderer and YAHTMLRenderer (#6475)
  • 96598aa [core] Fix stored XSS in VBHTMLRenderer and YAHTMLRenderer
  • 0f84b4d chore(deps): bump faraday from 2.13.3 to 2.14.1 (#6474)
  • 0304cfc chore(deps): bump nokogiri to 1.19.1 (#6473)
  • 5d5f969 [core] Fix BaseAntlrTerminalNode getTokenKind to return type instead of index...
  • 41e6b68 [doc] Update release notes (#6471, #6472)
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
Bump pmd from 7.21.0 to 7.22.0
be06c8b 
Bumps `pmd` from 7.21.0 to 7.22.0.

Updates `net.sourceforge.pmd:pmd-core` from 7.21.0 to 7.22.0
- [Release notes](https://github.com/pmd/pmd/releases)
- [Commits](pmd/pmd@pmd_releases/7.21.0...pmd_releases/7.22.0)

Updates `net.sourceforge.pmd:pmd-java` from 7.21.0 to 7.22.0
- [Release notes](https://github.com/pmd/pmd/releases)
- [Commits](pmd/pmd@pmd_releases/7.21.0...pmd_releases/7.22.0)

Updates `net.sourceforge.pmd:pmd-kotlin` from 7.21.0 to 7.22.0
- [Release notes](https://github.com/pmd/pmd/releases)
- [Commits](pmd/pmd@pmd_releases/7.21.0...pmd_releases/7.22.0)

---
updated-dependencies:
- dependency-name: net.sourceforge.pmd:pmd-core
  dependency-version: 7.22.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
- dependency-name: net.sourceforge.pmd:pmd-java
  dependency-version: 7.22.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
- dependency-name: net.sourceforge.pmd:pmd-kotlin
  dependency-version: 7.22.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file java Pull requests that update java code labels Feb 27, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file java Pull requests that update java code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants