• Login
Community
  • Login

Notepad++ v8.8.2 Release Candidate

Scheduled Pinned Locked Moved Announcements
36 Posts 7 Posters 23.4k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • D
    donho
    last edited by donho Jun 28, 2025, 2:42 PM Jun 22, 2025, 6:51 PM

    Notepad++ release candidate 8.8.2 is available here:
    http://download.notepad-plus-plus.org/repository/8.x/8.8.2.RC/

    Notepad++ 8.8.2 RC2 is available here:
    http://download.notepad-plus-plus.org/repository/8.x/8.8.2.RC2/

    Notepad++ 8.8.2 RC3 is available here:
    http://download.notepad-plus-plus.org/repository/8.x/8.8.2.RC3/

    A bug of new feature “Read-only attribute in Windows” has been fixed in RC3:
    https://github.com/notepad-plus-plus/notepad-plus-plus/issues/16734

    Please note that the 8.8.2 RC binaries are not signed due to the expiration of Notepad++ code signing certificate issued by DigiCert.
    As a result, the updater for both plugins & Notepad++ itself will not function - I will adjust the security mechanism to restore the functionality, and will post 8.8.2 RC2 here ASAP.
    Edit: the security mechanism has been switched from the certificate check to SHA256 check. The updater & plugin manager will work in 8.8.2 RC2

    In order to renew the code signing certificate, I also have to renew the trademark (which, unfortunately, has expired as well). The trademark is currently under examination and listed as pending. I’ve contacted DigiCert validation team to ask whether it’s possible to issue the certificate to “Notepad++” while the trademark is still pending.
    However, since they also require Notepad++ to be a recognized business entity, we’ll most likely proceed without code signing - at least for this version. :(

    Edit: An announcement has been made to notify users about the situation of upcoming release, and to ask for help in obtaining a certificate:
    https://notepad-plus-plus.org/news/8.8.2-available-in-1-week-without-certificate/

    Notepad++ v8.8.2 change log:

    1. Fix regression of folding state not being remembered through sessions. (Fix #16597 , #16670 )
    2. Fix “Go To Settings” links in Style Configurator regression (from v8.8). (Fix #16592 )
    3. Fix small regression of tab background (hovered) highlighting issue after drag&drop. (Fix #16559 )
    4. Fix an unresponsive (hang) issue due to hide lines. (Fix #16316 )
    5. Fix installer security issue by using the absolute path instead of an unspecified path (CVE-2025-49144). (commit , fix report on GitHub , fix #16744 )
    6. Installer component “WinGUp”: update cURL to 8.13.0 for fixing cURL’s security issue CVE-2025-0167. (Fix #16531 , #16515 )
    7. Update to scintilla 5.5.7 & Lexilla 5.4.5. (Implement #16649 )
    8. Add feature to update Notepad++ on exit. (Fix #16601 , #13749 , #10317 , #8495 , #8457 , #3755 )
    9. Add “/relaunchNppAfterSilentInstall” command argument for installer. (Fix #issue )
    10. Add feature to set read-only attribute on file so user can toggle (set/remove) read-only attribute of a file. (Fix #326 , #4594 , #6216 , #7841 , #12520 , #15571 , #16603 )
    11. Add new plugin API: NPPM_GETTOOLBARICONSETMODE & NPPN_TOOLBARICONSETCHANGED to get toolbar icon set choice. (Fix #16547 , #16646 )
    12. Deprecate 3 APIs: Deprecate NPPM_GETOPENFILENAMES, NPPM_GETOPENFILENAMESPRIMARY & NPPM_GETOPENFILENAMESSECOND. (Fix #15997 )
    13. Add new feature of using first line of untitled document for its tab name. (Fix #3994 , #16584 )
    14. Enhance NPPM_DARKMODESUBCLASSANDTHEME: Enable darkmode progress bar for plugins. (Fix #16675 )
    15. Various dark mode enhancements. (Fix #16668 , #16674 , #16560 , #16537 , #issue )
    16. Fix right click on caption bar unhidding main menu. (Fix #16652 )
    17. Fix rename tab error message when tab name is unchanged. (Fix #16661 )
    18. Fix Python FunctionList absorbing next function issue if space after colon. (Fix #16636 )
    19. Remove .log from errorlist lexer’s default extensions. (Fix #16627 )
    20. Make raw string syntax highlighting work for Golang. (Fix #16609 )
    21. Fix Notepad++ tray icon lost after Windows Taskbar crashing & being relaunched. (Fix #16588 )
    22. Fix changing toolbar icon set not updating to matching panel icon set. (Fix #16595 )
    23. Fix Windows dialog file list not react with keystroke (character match). (Fix #2239 )
    24. Add “*” mark on modified file entries in “Windows” dropdown menu. (Fix #16542 )

    Fix #5 "Fix installer security issue CVE-2025-49144" has been included in the Release Candidate, but it was meant to be disclosed only after the official release to prevent potential exploitation by hackers. However the information has already been broadcasted on Internet, and I've received several emails regarding the issue - so here it is.

    This vulnerability doesn't affect Notepad++ itself, only the installer. If you already have Notepad++ installed, you are not impacted. But if you're planning to install or update Notepad++, please use v8.8.2 installer.

    S P X D 7 Replies Last reply Jun 22, 2025, 10:45 PM Reply Quote 3
    • S
      Snabel42 @donho
      last edited by Jun 22, 2025, 10:45 PM

      @donho did Plugin Manager get excluded?

      P 1 Reply Last reply Jun 22, 2025, 11:06 PM Reply Quote 0
      • P
        PeterJones @donho
        last edited by Jun 22, 2025, 11:04 PM

        @donho said in Notepad++ v8.8.2 Release Candidate:

        Notepad++ release candidate 8.8.2 is available here:
        http://download.notepad-plus-plus.org/repository/8.x/8.8.2.RC/

        The names of nearly all the files are wrong (still saying 8.8.1)
        11fbab58-b5e9-40f7-a375-49a759e09a5c-image.png

        D 1 Reply Last reply Jun 23, 2025, 12:32 AM Reply Quote 1
        • P
          PeterJones @Snabel42
          last edited by PeterJones Jun 22, 2025, 11:07 PM Jun 22, 2025, 11:06 PM

          @Snabel42 said in Notepad++ v8.8.2 Release Candidate:

          did Plugin Manager get excluded?

          I assume you mean Plugins Admin.

          The nppPluginList.dll is in the right location, so it’s “included”. My bet is that because it’s not signed, like the installer, it’s not passing the permissions issue, so @donho will have to make sure that unsigned nppPluginList.dll works in RC2 as well.

          S 1 Reply Last reply Jun 23, 2025, 12:45 AM Reply Quote 2
          • D
            donho @PeterJones
            last edited by Jun 23, 2025, 12:32 AM

            @PeterJones
            I forgot to rebuild x86 & arm64 Notepad++, hence the wrong version value.
            It’s fixed now.

            1 Reply Last reply Reply Quote 1
            • S
              Snabel42 @PeterJones
              last edited by Jun 23, 2025, 12:45 AM

              @PeterJones said in Notepad++ v8.8.2 Release Candidate:

              @Snabel42 said in Notepad++ v8.8.2 Release Candidate:

              did Plugin Manager get excluded?

              I assume you mean Plugins Admin.

              Yes, Plugins Admin

              The nppPluginList.dll is in the right location, so it’s “included”. My bet is that because it’s not signed, like the installer, it’s not passing the permissions issue, so @donho will have to make sure that unsigned nppPluginList.dll works in RC2 as well.

              I used npp.8.8.2.Installer.x64.exe to upgrade my existing installation. Plugins Admin is no longer visible in it’s previous spot on the Plugins menu.

              P 1 Reply Last reply Jun 23, 2025, 12:53 AM Reply Quote 0
              • P
                PeterJones @Snabel42
                last edited by PeterJones Jun 23, 2025, 12:53 AM Jun 23, 2025, 12:53 AM

                @Snabel42 said in Notepad++ v8.8.2 Release Candidate:

                Plugins Admin is no longer visible in it’s previous spot on the Plugins menu.

                Sorry, I guess I was not explicit enough: My explanation paragraph was trying to say that I can confirm your finding, and thus I gave my best guess as to why it’s not working.

                1 Reply Last reply Reply Quote 0
                • X
                  xomx @donho
                  last edited by Jun 23, 2025, 7:39 AM

                  @donho said in Notepad++ v8.8.2 Release Candidate:

                  binaries are not signed

                  In such a case be prepared for an increase of AV false positives (which is unfortunate because it will also bring an increase of the risk of the app being compromised somehow (remember e.g. the CIA special ed…)).

                  updater for both plugins & Notepad++ itself will not function - I will adjust the security mechanism

                  So please do not trigger such a version for an auto-update!

                  This opens a door e.g. for a MITM attack. Doublecheck especially the downloaded & updated plugins. If only one of the plugins’ dl-sites will get compromised…

                  require Notepad++ to be a recognized business entity, we’ll most likely proceed without code signing

                  Did you consider the @Ekopalypse SignPath proposal?
                  I understand that it wouldn’t be ideal, and the cert will not bear the name “Notepad++”, but there would be the integration directly into the GitHub…

                  1 Reply Last reply Reply Quote 2
                  • X
                    xomx
                    last edited by Jun 23, 2025, 8:12 AM

                    @donho

                    IDK if it’s still true but I found an info that right now, Comodo is the only certauth that issues individual code signing certificates. The verification process conducted by Comodo requires you to provide three documents:

                    1. Government-Issued Identification,
                    2. Financial Documentation, and
                    3. Non-Financial Documentation.

                    More here .

                    1 Reply Last reply Reply Quote 1
                    • D
                      donho @donho
                      last edited by Jun 23, 2025, 3:35 PM

                      FYI: 8.8.2 RC2, which switches the security mechanism from the certificate check to SHA256 check to make updater & plugin manager work, is available here:
                      http://download.notepad-plus-plus.org/repository/8.x/8.8.2.RC2/

                      P D 2 Replies Last reply Jun 23, 2025, 3:56 PM Reply Quote 4
                      • P
                        PeterJones @donho
                        last edited by Jun 23, 2025, 3:56 PM

                        @donho said in Notepad++ v8.8.2 Release Candidate:

                        FYI: 8.8.2 RC2, which switches the security mechanism from the certificate check to SHA256 check to make updater & plugin manager work, is available here:

                        I can confirm that RC2 fixes the problem with Plugins Admin not showing up. Thanks!

                        1 Reply Last reply Reply Quote 2
                        • D
                          donho @donho
                          last edited by donho Jun 23, 2025, 4:32 PM Jun 23, 2025, 4:27 PM

                          @PeterJones @Snabel42

                          Sorry, I guess I was not explicit enough: My explanation paragraph was trying to say that I can confirm your finding, and thus I gave my best guess as to why it’s not working.

                          I confirm what Peter has said. For giving more detail: Plugin Admin can be visible under 2 conditions:

                          1. PluginList component exits & checked by SecurityGuard of Notepad++
                          2. WinGUp component exits & checked by SecurityGuard of Notepad++

                          There are 2 methods for SecurityGuard to check components: by certificate or by SHA256.
                          In RC2 the mechanism of SHA256 is activated, so Plugin Admin will work in RC2, which is available on above post.

                          @xomx

                          In such a case be prepared for an increase of AV false positives

                          Yes, unfortunately we have to face to this situation.

                          (which is unfortunate because it will also bring an increase of the risk of the app being compromised somehow (remember e.g. the CIA special ed…)).

                          Back to the hack from CIA, Scintilla component was separated from Notepad++, and there was no verification at all while Notepad++ loading DLL of Scintilla.
                          The 8.8.2 RC2 has not the same situation: SHA256 of components are checked before they are loaded:
                          https://github.com/notepad-plus-plus/notepad-plus-plus/commit/999ec7a6c140f8f2b895ef27e48c0c978f6d621d

                          So please do not trigger such a version for an auto-update!
                          This opens a door e.g. for a MITM attack. Doublecheck especially the downloaded & updated plugins. If only one of the plugins’ dl-sites will get compromised…

                          So far, all the Notepad++ releases with the code signing don’t check the certificate of downloaded installer before lauching it. But indeed, users cannot know if the downloaded installer is authentic. I’ll see what I can do about it.

                          Did you consider the @Ekopalypse SignPath proposal?

                          It could be a solution despite all the inconveniences… I’ll consider it if other solutions fail.

                          IDK if it’s still true but I found an info that right now, Comodo is the only certauth that issues individual code signing certificates.

                          Thank you for the link - I will check it.

                          S X 2 Replies Last reply Jun 23, 2025, 4:42 PM Reply Quote 4
                          • S
                            Snabel42 @donho
                            last edited by Jun 23, 2025, 4:42 PM

                            @donho said in Notepad++ v8.8.2 Release Candidate:

                            In RC2 the mechanism of SHA256 is activated, so Plugin Admin will work in RC2, which is available on above post.

                            Confirmed

                            1 Reply Last reply Reply Quote 0
                            • R
                              rddim
                              last edited by Jun 23, 2025, 7:53 PM

                              Need more room for localization of Add new feature of using first line of untitled document for its tab name - https://github.com/notepad-plus-plus/notepad-plus-plus/commit/abc23714db987e699476f6b6a3af0fe44e0bc0a2#r159346955

                              1 Reply Last reply Reply Quote 0
                              • X
                                xomx @donho
                                last edited by xomx Jun 23, 2025, 11:12 PM Jun 23, 2025, 10:14 PM

                                @donho said in Notepad++ v8.8.2 Release Candidate:

                                SHA256 of components are checked before they are loaded:

                                Then it’s ok, indeed.
                                Please correct me if I am wrong but it’s ok only until someone will not refresh the CIA idea to distribute (MITM or fake N++ installers) modified notepad++.exe & nppPluginList.dll files (now, without the certs preventing modification, it will be an easy target for a covert malicious use…)

                                1 Reply Last reply Reply Quote 1
                                • X
                                  xomx @donho
                                  last edited by Jun 23, 2025, 10:29 PM

                                  @donho said in Notepad++ v8.8.2 Release Candidate:

                                  1. Add feature to set read-only attribute on file so user can toggle (set/remove) read-only attribute of a file.

                                  Just fixed one (probably long standing) related issue:

                                  fix toggleReadOnlyFlagFromFileAttributes when invalid file attribute(s) or insufficient user rights #16733

                                  (for STR just create with admin-rights e.g. C:\Program Files\test-RO.txt file and set its R/O-attribute, then open it as a non-admin in N++ and try to toggle (in older N++ use the “Clear Read-Only Flag” menu item) that read-only file attribute, then check it in Explorer or simply Alt-Tab from/to N++ and see that the tab R/O-state is back as the file read-only attribute removing failed due to insufficient rights…)

                                  D 1 Reply Last reply Jun 24, 2025, 1:16 AM Reply Quote 1
                                  • D
                                    donho @xomx
                                    last edited by Jun 24, 2025, 1:16 AM

                                    @xomx

                                    Just fixed one (probably long standing) related issue:

                                    Merged into master now. Thank you.
                                    I will add the warning message then update to the RC3.

                                    Please correct me if I am wrong but it’s ok only until someone will not refresh the CIA idea to distribute (MITM or fake N++ installers) modified notepad++.exe & nppPluginList.dll files (now, without the certs preventing modification, it will be an easy target for a covert malicious use…)

                                    You’re not wrong. But even with the code signing protection, people can still do code signing on their home-made Notepad++ installer to gain the trust. I admit it’s much harder though.

                                    X 1 Reply Last reply Jun 24, 2025, 5:28 AM Reply Quote 2
                                    • X
                                      xomx @donho
                                      last edited by xomx Jun 24, 2025, 5:48 AM Jun 24, 2025, 5:28 AM

                                      @donho said in Notepad++ v8.8.2 Release Candidate:

                                      I will add the warning message

                                      Ok.

                                      Just FYI - I have in progress (so far so good, I’m already using it, it just needs to be tested more) a native N++ replacement for the deprecated NppSaveAsAdminPlugin. My concept used there will allow an easy addition of another N++ ops requiring the UAC-prompt elevation. That’s why I left this comment in my above fix when the SetFileAttributes failed - // probably the ERROR_ACCESS_DENIED (5) (TODO: UAC-prompt candidate).


                                      One more thing - I don’t think I would be the only one here who would offer to share the costs of getting the new certificate so that you don’t have to finance it only yourself. Just say so if needed.

                                      D 1 Reply Last reply Jun 24, 2025, 3:57 PM Reply Quote 6
                                      • D
                                        donho @donho
                                        last edited by Jun 24, 2025, 3:44 PM

                                        FYI, RC3, in which a bug of new feature “Read-only attribute in Windows” is fixed, is available now - you can download it from the 1st post.

                                        1 Reply Last reply Reply Quote 1
                                        • D
                                          donho @xomx
                                          last edited by Jun 24, 2025, 3:57 PM

                                          @xomx

                                          Just FYI - I have in progress (so far so good, I’m already using it, it just needs to be tested more) a native N++ replacement for the deprecated NppSaveAsAdminPlugin. My concept used there will allow an easy addition of another N++ ops requiring the UAC-prompt elevation.

                                          So is it also a plugin or it’s a piece of code? It’ll be very helpful for saving, which is part of core functions in Notepad++. Though I consider toggling R/O file attribute flag as a helper not part of core functions, it’s still nice to have.

                                          One more thing - I don’t think I would be the only one here who would offer to share the costs of getting the new certificate so that you don’t have to finance it only yourself. Just say so if needed.

                                          Thank you! And thank you guys willing to contribute to the cost of the new certificate!
                                          In fact, before leaving X, I tweeted about the certificate expiration issue, and DigiCert (I believe someone from their market team) has responded positively, offering a free of charge certificate.

                                          Thanks to their generosity, I haven’t had to pay for a code signing certificate in the past 9 years:

                                          f9e78267-a0d9-4d0d-b059-b67d4a8beab6-image.png

                                          However, the validation process is another story. It’s not the first time the name “Notepad++” has been rejected - I do understand the validation team’s position. But every single time I have had to communicate, negotiate, beg or/and shout on Twitter to gain a certificate issued under the name “Notepad++”. This circle repeats every 3 years, and frankly, I’m getting tired of it.

                                          So thank you again for your kind & noble offer. Even if I had to pay for the certificate, it’s not about the money - it’s about signing our code under the name “Notepad++”. I believe we at least deserve that much.

                                          X 2 Replies Last reply Jun 24, 2025, 6:09 PM Reply Quote 6
                                          6 out of 36
                                          • First post
                                            6/36
                                            Last post
                                          The Community of users of the Notepad++ text editor.
                                          Powered by NodeBB | Contributors