From c539c2f4fd1c85ff86053149315e92e7ffafc58d Mon Sep 17 00:00:00 2001
From: Owen Mansel-Chan <owen-mc@github.com>
Date: Thu, 12 Feb 2026 16:24:30 +0000
Subject: [PATCH] Add change note

---
 .../2026-02-12-pattern-annotation-ssrf-sanitizer.md           | 4 ++++
 1 file changed, 4 insertions(+)
 create mode 100644 java/ql/lib/change-notes/2026-02-12-pattern-annotation-ssrf-sanitizer.md

diff --git a/java/ql/lib/change-notes/2026-02-12-pattern-annotation-ssrf-sanitizer.md b/java/ql/lib/change-notes/2026-02-12-pattern-annotation-ssrf-sanitizer.md
new file mode 100644
index 00000000000..20d3d08b300
--- /dev/null
+++ b/java/ql/lib/change-notes/2026-02-12-pattern-annotation-ssrf-sanitizer.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* More ways of checking that a string matches a regular expression are now considered as sanitizers for various queries, including `java/ssrf` and `java/path-injection`. In particular, being annotated with `@javax.validation.constraints.Pattern` is now recognised as a sanitizer for those queries.