Notepad++ v8.8.9: Vulnerability-fix

cr0wm4n

I have just downloaded the 8.8.9 msi and was going to upgrade my current 8.8.8 which was installed with intune. It will not upgrade as the product version in this 8.8.9 version is still set to 8.8.8 as can be seen here in Orca.

Denny-89

I’ve updated from v8.8.8 to v8.8.9 and suddenly the change history bar (or whatever it’s called) became white. Not a big issue, but extremely annoying. I’ve looked through the settings and couldn’t find anything specific to the history bar except turning it off all together which i don’t want. I’m using Win11 (3840x2160, 200% scaling) and the default Notepad++ dark theme.

v8.8.9

v8.8.8

donho

@cr0wm4n

I have just downloaded the 8.8.9 msi and was going to upgrade my current 8.8.8 which was installed with intune. It will not upgrade as the product version in this 8.8.9 version is still set to 8.8.8 as can be seen here in Orca.

My bad, the version number in MSI was not changed during the build process.
Please try this signed MSI, and confirm me the problem is fixed:
https://download.notepad-plus-plus.org/repository/MISC/npp.8.8.9.Installer.x64.msi

donho

@Denny-89 said in Notepad++ v8.8.9: Vulnerability-fix:

I’ve updated from v8.8.8 to v8.8.9 and suddenly the change history bar (or whatever it’s called) became white. Not a big issue, but extremely annoying. I’ve looked through the settings and couldn’t find anything specific to the history bar except turning it off all together which i don’t want. I’m using Win11 (3840x2160, 200% scaling) and the default Notepad++ dark theme.

I cannot reproduce it.
It could be caused by
8. Add ability to update users’ langs.xml & stylers.xml from model XML files.
By implementing this feature, the darkmode may not be considered and that makes this side effect.
@PeterJones can you confirm it?

cr0wm4n

@donho This looks better thankyou :)

donho

@cr0wm4n Thank you for your confirmation.

FYI, fixed MSI has been updated in downloaded page, as well for its GPG signature and its sha-256 hash.

Denny-89

@donho If it maybe helps - the files did indeed change. I’ve tried to temporary replace the newer ones with the old ones as a test, but langs.xml got immediately updated when i ran Notepad++ 8.8.9; stylers.xml surprisingly stayed the same old version.

Here’s a screenshot with the file properties from a 1 week old backup:

PeterJones

@Denny-89 said,

I’ve looked through the settings and couldn’t find anything specific to the history bar except turning it off all together which i don’t want.

Settings > Style Configurator > Language: Global Styles > Style: Change History margin and related. Searching the user manual page about Preferences for “change history” will find first the on/off control description, then the description of how to change the colors.

@donho said in Notepad++ v8.8.9: Vulnerability-fix:

By implementing this feature, the darkmode may not be considered and that makes this side effect.
@PeterJones can you confirm it?

There are two ways to handle bringing in the new style entries from stylers.model.xml: either I could just bring in the entire entry, so that all themes that are missing a given entry will then inherit the same color that is in stylers.model.xml (which will make the new entries stick out like a sore thumb, but that might nudge the user to go find all those new jarring colors, and assign values that are more to their liking); or, if the active theme has a dark background by default I could look up the Default Style’s foreground and background for that theme, and assign those as the foreground and background colors for all new style entries (so that all the new styles will be completely unnoticed by the user, and they won’t ever notice that the feature brought in the new styles).

So the first makes it jarring, but noticeable; the second won’t be as jarring, but people might not know that they’ve got a lot of new style colors that they could set to their liking to get better highlighting in many languages (and a few new GUI colors).

Right now, it’s implemented as the first. If you want, I could change it to the second: it’s a bit more effort, but it’s doable.

PeterJones

@Denny-89 said in Notepad++ v8.8.9: Vulnerability-fix:

stylers.xml surprisingly stayed the same old version.

Not surprising, to me. The new feature updates the just the active theme, so if you’ve got any theme other than Default (stylers.xml) chosen, any changes will have been saved in the themes\XYZ.xml file, not in stylers.xml. Since you are using one of the dark themes, you would have to look at that theme’s file for the change date, not stylers.xml.

Denny-89

@PeterJones said in Notepad++ v8.8.9: Vulnerability-fix:

@Denny-89 said in Notepad++ v8.8.9: Vulnerability-fix:

stylers.xml surprisingly stayed the same old version.

Not surprising, to me. The new feature updates the just the active theme, so if you’ve got any theme other than Default (stylers.xml) chosen, any changes will have been saved in the themes\XYZ.xml file, not in stylers.xml. Since you are using one of the dark themes, you would have to look at that theme’s file for the change date, not stylers.xml.

Thank you. I didn’t know the default dark theme is treated like a custom theme instead as a native color scheme like in other light/dark mode software, so i didn’t check the Style Configurator menu.

First i’ve changed just the history margin color, but then just decided to replace the whole themes folder with the one from 8.8.9 portable because there may be even more changes since May 2021 when my old DarkModeDefault.xml was created.

Coises

@donho said in Notepad++ v8.8.9: Vulnerability-fix:

Update to nlohman json 3.11.3. (Update #15041 )

I wondered why you updated to an out-of-date version…

You actually updated to 3.12, in #17242.

fuba82

Hi there, same bug here!

My own theme file is overwritten every time I load it…
This just happens since Notepad++ was updated to 8.8.9.

It worked flawless 8.8.9!
Means my own theme does no longer work with 8.8.9?

Nevermind, it works now!
Sorry for bothering you!

PeterJones

@fuba82 said in Notepad++ v8.8.9: Vulnerability-fix:

My own theme file is overwritten every time I load it…
This just happens since Notepad++ was updated to 8.8.9.

Could you be more specific? v8.8.9 should update your theme to include any styles it is missing, but it does not delete any of your customizations.

But just to make sure, please explain in detail what your problem is: is your “own theme” just a customized version of one of the built-in themes? Do you put it in the AppData hierarchy, or in the Program Files hierarchy? Could you share your Debug Info? If it’s losing any of your custom colors that you’ve defined, could you show us the “before” and “after” – the whole file is too big to paste here, obviously… but if you can show us the section where your information was lost (so show what it was in the old theme, and then what it became in the overwritten theme), that would be helpful.

fuba82

@PeterJones
Oh my… BIG sorry…

My Theme’s file size changed and my “first” load, however, displayed the “default” style and this confused/shocked me!
I copied over a backup of my Theme, the file size changed again, but now it works…

All fine now, it seems.
Sorry for my false positive!

donho

@PeterJones said in Notepad++ v8.8.9: Vulnerability-fix:

if the active theme has a dark background by default I could look up the Default Style’s foreground and background for that theme, and assign those as the foreground and background colors for all new style entries (so that all the new styles will be completely unnoticed by the user, and they won’t ever notice that the feature brought in the new styles).

I think it’s “the way to go”.

So the first makes it jarring, but noticeable; the second won’t be as jarring, but people might not know that they’ve got a lot of new style colors that they could set to their liking to get better highlighting in many languages (and a few new GUI colors).

The reason of “the way to go” is, if users don’t need to change anything, just let these features sleep.
As I said, a good tool is a tool transparent: user opens it, get jobs done, then closes it, without noticing or being bothered by anything unsual.

I could change it to the second: it’s a bit more effort, but it’s doable.

Thank you. Then it’ll be in the next release.

donho

@Coises said in Notepad++ v8.8.9: Vulnerability-fix:

I wondered why you updated to an out-of-date version…

You actually updated to 3.12, in #17242 .

I don’t really understand how/why I did this error.
It’s too late for the release note, but at least it’s fixed in both:
https://notepad-plus-plus.org/downloads/v8.8.9/
&
https://community.notepad-plus-plus.org/topic/27298/notepad-v8-8-9-vulnerability-fix

Thank you for your heads up.