From f0350dd55446e78ff917b5641070e6db9d379d3f Mon Sep 17 00:00:00 2001
From: XDEV Renovate Bot <renovate@xdev-software.de>
Date: Thu, 30 Oct 2025 04:11:25 +0000
Subject: [PATCH 1/5] Update lycheeverse/lychee-action digest to a8c4c7c

---
 .github/workflows/broken-links.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/broken-links.yml b/.github/workflows/broken-links.yml
index a99ae52..0e96b20 100644
--- a/.github/workflows/broken-links.yml
+++ b/.github/workflows/broken-links.yml
@@ -18,7 +18,7 @@ jobs:
 
       - name: Link Checker
         id: lychee
-        uses: lycheeverse/lychee-action@885c65f3dc543b57c898c8099f4e08c8afd178a2 # v2
+        uses: lycheeverse/lychee-action@a8c4c7cb88f0c7386610c35eb25108e448569cb0 # v2
         with:
           fail: false # Don't fail on broken links, create an issue instead
 

From f5923efaaa98f06a394b539ee7d795d941973e86 Mon Sep 17 00:00:00 2001
From: XDEV Renovate Bot <renovate@xdev-software.de>
Date: Sat, 1 Nov 2025 04:16:41 +0000
Subject: [PATCH 2/5] Update net.sourceforge.pmd to v7.18.0

---
 pom.xml                      | 4 ++--
 template-placeholder/pom.xml | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/pom.xml b/pom.xml
index cddae72..046a742 100644
--- a/pom.xml
+++ b/pom.xml
@@ -83,12 +83,12 @@
 							<dependency>
 								<groupId>net.sourceforge.pmd</groupId>
 								<artifactId>pmd-core</artifactId>
-								<version>7.17.0</version>
+								<version>7.18.0</version>
 							</dependency>
 							<dependency>
 								<groupId>net.sourceforge.pmd</groupId>
 								<artifactId>pmd-java</artifactId>
-								<version>7.17.0</version>
+								<version>7.18.0</version>
 							</dependency>
 						</dependencies>
 					</plugin>
diff --git a/template-placeholder/pom.xml b/template-placeholder/pom.xml
index 7203198..13bcb16 100644
--- a/template-placeholder/pom.xml
+++ b/template-placeholder/pom.xml
@@ -253,12 +253,12 @@
 							<dependency>
 								<groupId>net.sourceforge.pmd</groupId>
 								<artifactId>pmd-core</artifactId>
-								<version>7.17.0</version>
+								<version>7.18.0</version>
 							</dependency>
 							<dependency>
 								<groupId>net.sourceforge.pmd</groupId>
 								<artifactId>pmd-java</artifactId>
-								<version>7.17.0</version>
+								<version>7.18.0</version>
 							</dependency>
 						</dependencies>
 					</plugin>

From 4ebf84d79a7204b8641896071191c7e05ae42fe1 Mon Sep 17 00:00:00 2001
From: AB <a.bierler@xdev-software.de>
Date: Mon, 3 Nov 2025 08:46:37 +0100
Subject: [PATCH 3/5] Updated to PMD 7.18
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

https://github.com/pmd/pmd/releases/tag/pmd_releases%2F7.18.0
Reasoning:
* Newly included/Changed
  * `IdenticalConditionalBranches` → self explaining
  * `LabeledStatement` → are confusing to use and I barely ever see them
* Not included
  * `UnusedLabel` → Not used because `LabeledStatement` already handles these
  * `ConfusingTernary` → Not helpful in most situations
  * `AvoidCatchingGenericException` → Might be ok for maybe Throwable or Error (but we sometimes also have to catch those), however not catching Exceptions and RuntimeExceptions is an extremely bad practice
---
 .config/pmd/java/ruleset.xml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.config/pmd/java/ruleset.xml b/.config/pmd/java/ruleset.xml
index 341cb3a..3332029 100644
--- a/.config/pmd/java/ruleset.xml
+++ b/.config/pmd/java/ruleset.xml
@@ -17,6 +17,7 @@
 	<rule ref="category/java/bestpractices.xml/AvoidUsingHardCodedIP"/>
 	<rule ref="category/java/bestpractices.xml/ConstantsInInterface"/>
 	<rule ref="category/java/bestpractices.xml/ExhaustiveSwitchHasDefault"/>
+	<rule ref="category/java/bestpractices.xml/LabeledStatement"/>
 	<rule ref="category/java/bestpractices.xml/LiteralsFirstInComparisons"/>
 	<!-- CheckStyle can't handle this switch behavior -> delegated to PMD -->
 	<rule ref="category/java/bestpractices.xml/NonExhaustiveSwitch"/>
@@ -149,6 +150,7 @@
 	<rule ref="category/java/errorprone.xml/DontUseFloatTypeForLoopIndices"/>
 	<rule ref="category/java/errorprone.xml/EqualsNull"/>
 	<rule ref="category/java/errorprone.xml/IdempotentOperations"/>
+	<rule ref="category/java/errorprone.xml/IdenticalConditionalBranches"/>
 	<rule ref="category/java/errorprone.xml/ImplicitSwitchFallThrough"/>
 	<rule ref="category/java/errorprone.xml/InstantiationToGetClass"/>
 	<rule ref="category/java/errorprone.xml/InvalidLogMessageFormat"/>

From 53e5c3113b97eb080131c1809d79b6b2d3365c60 Mon Sep 17 00:00:00 2001
From: AB <a.bierler@xdev-software.de>
Date: Mon, 3 Nov 2025 15:14:58 +0100
Subject: [PATCH 4/5] Don't allow TODO comments

Fixes https://github.com/xdev-software/java-setup-template/issues/1
---
 .config/checkstyle/checkstyle.xml | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/.config/checkstyle/checkstyle.xml b/.config/checkstyle/checkstyle.xml
index 43b5290..ffbc2a9 100644
--- a/.config/checkstyle/checkstyle.xml
+++ b/.config/checkstyle/checkstyle.xml
@@ -122,9 +122,7 @@
 		<module name="StaticVariableName"/>
 		<module name="StringLiteralEquality"/>
 		<module name="SuppressWarningsHolder"/>
-		<module name="TodoComment">
-			<property name="severity" value="info"/>
-		</module>
+		<module name="TodoComment"/>
 		<module name="TypecastParenPad"/>
 		<module name="TypeName"/>
 		<module name="UnnecessaryParentheses"/>

From 4342c35dc276aecb146aa2877b1062c4a16ba3c0 Mon Sep 17 00:00:00 2001
From: AB <a.bierler@xdev-software.de>
Date: Fri, 7 Nov 2025 14:12:35 +0100
Subject: [PATCH 5/5] Small descriptive improvements

Fixes https://github.com/xdev-software/java-setup-template/issues/2
---
 .config/pmd/java/ruleset.xml | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/.config/pmd/java/ruleset.xml b/.config/pmd/java/ruleset.xml
index 3332029..c057d1a 100644
--- a/.config/pmd/java/ruleset.xml
+++ b/.config/pmd/java/ruleset.xml
@@ -213,11 +213,11 @@
 		message="StringBuilder/StringBuffer should not be used"
 		class="net.sourceforge.pmd.lang.rule.xpath.XPathRule">
 		<description>
-Usually all cases where `StringBuilder` (or the outdated `StringBuffer`) is used are either due to confusing (legacy) logic or may be replaced by a simpler string concatenation.
+Usually all cases where `StringBuilder` (or the outdated `StringBuffer`) is used are either due to confusing (legacy) logic or in situations where it may be easily replaced by a simpler string concatenation.
 
 Solution:
 * Do not use `StringBuffer` because it's thread-safe and usually this is not needed
-* If `StringBuilder` is only used in a simple method (like `toString`) and is effectively inlined: Use a simpler string concatenation (`"a" + x + "b"`). This will be optimized by the Java compiler internally.
+* If `StringBuilder` is only used in a simple method (like `toString`) and is effectively inlined: Use a simpler string concatenation (`"a" + x + "b"`). This will be [optimized by the Java compiler internally](https://docs.oracle.com/javase/specs/jls/se25/html/jls-15.html#jls-15.18.1).
 * In all other cases: 
 	* Check what is happening and if it makes ANY sense! If for example a CSV file is built here consider using a proper library instead!
 	* Abstract the Strings into a DTO, join them together using a collection (or `StringJoiner`) or use Java's Streaming API instead
@@ -239,8 +239,8 @@ Solution:
 		message="Setters of java.lang.System should not be called unless really needed"
 		class="net.sourceforge.pmd.lang.rule.xpath.XPathRule">
 		<description>
-Calling setters of java.lang.System usually indicates bad design and likely causes unexpected behavior.
-For example, it may break when multiple Threads are setting the value.
+Calling setters of `java.lang.System` usually indicates bad design and likely causes unexpected behavior.
+For example, it may break when multiple Threads are working with the same value.
 It may also overwrite user defined options or properties.
 
 Try to pass the value only to the place where it's really needed and use it there accordingly.
@@ -352,7 +352,8 @@ You can suppress this warning when you properly sanitized the name.
 Nearly every known usage of (Java) Object Deserialization has resulted in [a security vulnerability](https://cloud.google.com/blog/topics/threat-intelligence/hunting-deserialization-exploits?hl=en).
 Vulnerabilities are so common that there are [dedicated projects for exploit payload generation](https://github.com/frohoff/ysoserial).
 
-Java Object Serialization may also fail to deserialize when the underlying classes are changed.
+Java Object Serialization may also fail to deserialize properly when the underlying classes are changed.
+This can result in unexpected crashes when outdated data is deserialized.
 
 Use proven data interchange formats like JSON instead.
 		</description>
@@ -374,7 +375,8 @@ Use proven data interchange formats like JSON instead.
 	<rule name="VaadinNativeHTMLIsUnsafe"
 		language="java"
 		message="Unescaped native HTML is unsafe and will result in XSS vulnerabilities"
-		class="net.sourceforge.pmd.lang.rule.xpath.XPathRule" >
+		class="net.sourceforge.pmd.lang.rule.xpath.XPathRule"
+		externalInfoUrl="https://developer.mozilla.org/en-US/docs/Web/API/Element/innerHTML">
 		<description>
 Do not use native HTML! Use Vaadin layouts and components to create required structure.
 If you are 100% sure that you escaped the value properly and you have no better options you can suppress this.