dependabot[bot] opened a new pull request, #10944: URL: https://github.com/apache/nifi/pull/10944
Bumps [net.sourceforge.pmd:pmd-core](https://github.com/pmd/pmd) from 7.21.0 to 7.22.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/pmd/pmd/releases";>net.sourceforge.pmd:pmd-core's releases</a>.</em></p> <blockquote> <h2>PMD 7.22.0 (27-February-2026)</h2> <h2>27-February-2026 - 7.22.0</h2> <p>The PMD team is pleased to announce PMD 7.22.0.</p> <p>This is a minor release.</p> <h3>Table Of Contents</h3> <ul> <li><a href="https://github.com/pmd/pmd/blob/HEAD/#new-and-noteworthy";>🚀️ New and noteworthy</a> <ul> <li><a href="https://github.com/pmd/pmd/blob/HEAD/#security-fixes";>Security fixes</a></li> </ul> </li> <li><a href="https://github.com/pmd/pmd/blob/HEAD/#new-and-changed-rules";>🌟️ New and Changed Rules</a> <ul> <li><a href="https://github.com/pmd/pmd/blob/HEAD/#new-rules";>New Rules</a></li> <li><a href="https://github.com/pmd/pmd/blob/HEAD/#changed-rules";>Changed Rules</a></li> </ul> </li> <li><a href="https://github.com/pmd/pmd/blob/HEAD/#fixed-issues";>🐛️ Fixed Issues</a></li> <li><a href="https://github.com/pmd/pmd/blob/HEAD/#api-changes";>🚨️ API Changes</a> <ul> <li><a href="https://github.com/pmd/pmd/blob/HEAD/#deprecations";>Deprecations</a></li> </ul> </li> <li><a href="https://github.com/pmd/pmd/blob/HEAD/#merged-pull-requests";>✨️ Merged pull requests</a></li> <li><a href="https://github.com/pmd/pmd/blob/HEAD/#dependency-updates";>📦️ Dependency updates</a></li> <li><a href="https://github.com/pmd/pmd/blob/HEAD/#stats";>📈️ Stats</a></li> </ul> <h3>🚀️ New and noteworthy</h3> <h4>Security fixes</h4> <ul> <li>This release fixes a stored XSS vulnerability in VBHTMLRenderer and YAHTMLRenderer via unescaped violation messages.<br /> Affects CI/CD pipelines that run PMD with <code>--format vbhtml</code> or <code>--format yahtml</code> on untrusted source code (e.g. pull requests from external contributors) and expose the HTML report as a build artifact. JavaScript executes in the browser context of anyone who opens the report.<br /> Note: The default <code>html</code> format is <strong>not affected</strong> by unescaped violation messages, but a similar problem existed with suppressed violation markers.<br /> If you use these reports, it is recommended to upgrade PMD.<br /> Reported by <a href="https://github.com/smaranchand";>Smaran Chand</a> (<a href="https://github.com/smaranchand";><code>@smaranchand</code></a>).</li> </ul> <h3>🌟️ New and Changed Rules</h3> <h4>New Rules</h4> <ul> <li>The new Java rule <a href="https://docs.pmd-code.org/pmd-doc-7.22.0/pmd_rules_java_codestyle.html#unnecessaryinterfacedeclaration";><code>UnnecessaryInterfaceDeclaration</code></a> detects classes that implement interfaces that are already implemented by its superclass, and interfaces that extend other interfaces already declared by their superinterfaces.<br /> These declarations are redundant and can be removed to simplify the code.</li> </ul> <h4>Changed Rules</h4> <ul> <li>The rule <a href="https://docs.pmd-code.org/pmd-doc-7.22.0/pmd_rules_java_errorprone.html#closeresource";><code>CloseResource</code></a> introduces a new property, <code>allowedResourceMethodPatterns</code>, which lets you specify method invocation patterns whose return values are resources managed externally. This is useful for ignoring managed resources - for example, <code>Reader</code>/<code>Writer</code> instances obtained from <code>HttpServletRequest</code>/<code>HttpServletResponse</code> - because the servlet container, not application code, is responsible for closing them. By default, the rule ignores <code>InputStream</code>/<code>OutputStream</code>/<code>Reader</code>/<code>Writer</code> resources returned by methods on <code>(Http)ServletRequest</code> and <code>(Http)ServletResponse</code></li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/pmd/pmd/commit/7f74d775143d842c9a9964e59e64284596a83a84";><code>7f74d77</code></a> [release] prepare release pmd_releases/7.22.0</li> <li><a href="https://github.com/pmd/pmd/commit/1d1d51dd75ef7420842f79b977a3f1521e60174b";><code>1d1d51d</code></a> Prepare pmd release 7.22.0</li> <li><a href="https://github.com/pmd/pmd/commit/f150d3dd8e5091fc4049c1c8ef1d3873b9a992a0";><code>f150d3d</code></a> Update security.md (refs <a href="https://redirect.github.com/pmd/pmd/issues/6475";>#6475</a>)</li> <li><a href="https://github.com/pmd/pmd/commit/5523b332ed4d454c0abf0ffe324cda0142970993";><code>5523b33</code></a> Update contributors for 7.22.0</li> <li><a href="https://github.com/pmd/pmd/commit/c140c0e1de5853a08efb84c9f91dfeb015882442";><code>c140c0e</code></a> [core] Fix stored XSS in VBHTMLRenderer and YAHTMLRenderer (<a href="https://redirect.github.com/pmd/pmd/issues/6475";>#6475</a>)</li> <li><a href="https://github.com/pmd/pmd/commit/96598aa6c4b42cf13b2b4b20d8c29d2bc680ecd0";><code>96598aa</code></a> [core] Fix stored XSS in VBHTMLRenderer and YAHTMLRenderer</li> <li><a href="https://github.com/pmd/pmd/commit/0f84b4d11039e03d8e34928d03a2f5950e816d89";><code>0f84b4d</code></a> chore(deps): bump faraday from 2.13.3 to 2.14.1 (<a href="https://redirect.github.com/pmd/pmd/issues/6474";>#6474</a>)</li> <li><a href="https://github.com/pmd/pmd/commit/0304cfc47d0b61ee16b7a3eda3d8fdaecf4fdca1";><code>0304cfc</code></a> chore(deps): bump nokogiri to 1.19.1 (<a href="https://redirect.github.com/pmd/pmd/issues/6473";>#6473</a>)</li> <li><a href="https://github.com/pmd/pmd/commit/5d5f96951598cc6c007167c6ae0845ae362e87a5";><code>5d5f969</code></a> [core] Fix BaseAntlrTerminalNode getTokenKind to return type instead of index...</li> <li><a href="https://github.com/pmd/pmd/commit/41e6b680e25144a8feb908725ba2df2805f59118";><code>41e6b68</code></a> [doc] Update release notes (<a href="https://redirect.github.com/pmd/pmd/issues/6471";>#6471</a>, <a href="https://redirect.github.com/pmd/pmd/issues/6472";>#6472</a>)</li> <li>Additional commits viewable in <a href="https://github.com/pmd/pmd/compare/pmd_releases/7.21.0...pmd_releases/7.22.0";>compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/apache/nifi/network/alerts). </details> -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
