Sourced from net.sourceforge.pmd:pmd-java's releases.

PMD 7.22.0 (27-February-2026)

27-February-2026 - 7.22.0

The PMD team is pleased to announce PMD 7.22.0.

This is a minor release.

Table Of Contents

• 🚀️ New and noteworthy
  • Security fixes
• 🌟️ New and Changed Rules
  • New Rules
  • Changed Rules
• 🐛️ Fixed Issues
• 🚨️ API Changes
  • Deprecations
• ✨️ Merged pull requests
• 📦️ Dependency updates
• 📈️ Stats

🚀️ New and noteworthy

Security fixes

• This release fixes a stored XSS vulnerability in VBHTMLRenderer and YAHTMLRenderer via unescaped violation messages.
  Affects CI/CD pipelines that run PMD with --format vbhtml or --format yahtml on untrusted source code (e.g. pull requests from external contributors) and expose the HTML report as a build artifact. JavaScript executes in the browser context of anyone who opens the report.
  Note: The default html format is not affected by unescaped violation messages, but a similar problem existed with suppressed violation markers.
  If you use these reports, it is recommended to upgrade PMD.
  Reported by Smaran Chand (@​smaranchand).

🌟️ New and Changed Rules

New Rules

• The new Java rule UnnecessaryInterfaceDeclaration detects classes that implement interfaces that are already implemented by its superclass, and interfaces that extend other interfaces already declared by their superinterfaces.
  These declarations are redundant and can be removed to simplify the code.

Changed Rules

• The rule CloseResource introduces a new property, allowedResourceMethodPatterns, which lets you specify method invocation patterns whose return values are resources managed externally. This is useful for ignoring managed resources - for example, Reader/Writer instances obtained from HttpServletRequest/HttpServletResponse - because the servlet container, not application code, is responsible for closing them. By default, the rule ignores InputStream/OutputStream/Reader/Writer resources returned by methods on (Http)ServletRequest and (Http)ServletResponse

... (truncated)

• 7f74d77 [release] prepare release pmd_releases/7.22.0
• 1d1d51d Prepare pmd release 7.22.0
• f150d3d Update security.md (refs #6475)
• 5523b33 Update contributors for 7.22.0
• c140c0e [core] Fix stored XSS in VBHTMLRenderer and YAHTMLRenderer (#6475)
• 96598aa [core] Fix stored XSS in VBHTMLRenderer and YAHTMLRenderer
• 0f84b4d chore(deps): bump faraday from 2.13.3 to 2.14.1 (#6474)
• 0304cfc chore(deps): bump nokogiri to 1.19.1 (#6473)
• 5d5f969 [core] Fix BaseAntlrTerminalNode getTokenKind to return type instead of index...
• 41e6b68 [doc] Update release notes (#6471, #6472)
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)