Bump net.sourceforge.pmd:pmd-core from 7.13.0 to 7.22.0

[dependabot]

Bumps net.sourceforge.pmd:pmd-core from 7.13.0 to 7.22.0.

Release notes

Sourced from net.sourceforge.pmd:pmd-core's releases.

PMD 7.22.0 (27-February-2026)

27-February-2026 - 7.22.0

The PMD team is pleased to announce PMD 7.22.0.

This is a minor release.

Table Of Contents

• 🚀️ New and noteworthy
  • Security fixes
• 🌟️ New and Changed Rules
  • New Rules
  • Changed Rules
• 🐛️ Fixed Issues
• 🚨️ API Changes
  • Deprecations
• ✨️ Merged pull requests
• 📦️ Dependency updates
• 📈️ Stats

🚀️ New and noteworthy

Security fixes

• This release fixes a stored XSS vulnerability in VBHTMLRenderer and YAHTMLRenderer via unescaped violation messages.
  Affects CI/CD pipelines that run PMD with --format vbhtml or --format yahtml on untrusted source code (e.g. pull requests from external contributors) and expose the HTML report as a build artifact. JavaScript executes in the browser context of anyone who opens the report.
  Note: The default html format is not affected by unescaped violation messages, but a similar problem existed with suppressed violation markers.
  If you use these reports, it is recommended to upgrade PMD.
  Reported by Smaran Chand (@​smaranchand).

🌟️ New and Changed Rules

New Rules

• The new Java rule UnnecessaryInterfaceDeclaration detects classes that implement interfaces that are already implemented by its superclass, and interfaces that extend other interfaces already declared by their superinterfaces.
  These declarations are redundant and can be removed to simplify the code.

Changed Rules

• The rule CloseResource introduces a new property, allowedResourceMethodPatterns, which lets you specify method invocation patterns whose return values are resources managed externally. This is useful for ignoring managed resources - for example, Reader/Writer instances obtained from HttpServletRequest/HttpServletResponse - because the servlet container, not application code, is responsible for closing them. By default, the rule ignores InputStream/OutputStream/Reader/Writer resources returned by methods on (Http)ServletRequest and (Http)ServletResponse

... (truncated)

Commits

• 7f74d77 [release] prepare release pmd_releases/7.22.0
• 1d1d51d Prepare pmd release 7.22.0
• f150d3d Update security.md (refs #6475)
• 5523b33 Update contributors for 7.22.0
• c140c0e [core] Fix stored XSS in VBHTMLRenderer and YAHTMLRenderer (#6475)
• 96598aa [core] Fix stored XSS in VBHTMLRenderer and YAHTMLRenderer
• 0f84b4d chore(deps): bump faraday from 2.13.3 to 2.14.1 (#6474)
• 0304cfc chore(deps): bump nokogiri to 1.19.1 (#6473)
• 5d5f969 [core] Fix BaseAntlrTerminalNode getTokenKind to return type instead of index...
• 41e6b68 [doc] Update release notes (#6471, #6472)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 99.13%. Comparing base (6e6f668) to head (55cf6ac).

Additional details and impacted files

@@           Coverage Diff           @@
##           master      #58   +/-   ##
=======================================
  Coverage   99.13%   99.13%           
=======================================
  Files          38       38           
  Lines        1274     1274           
  Branches      171      171           
=======================================
  Hits         1263     1263           
  Misses          6        6           
  Partials        5        5           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.