v0.1.1
Notepatra v0.1.1 — bug fixes
Bug-fix release. Fixes the issues users hit on the v0.1.0 binaries — same features, same shortcuts, same APIs, just things actually working everywhere now.
Fixed
🪟 Windows: Markdown / SQL / JSON files now have syntax highlighting
Problem: The v0.1.0 Windows binary used a third-party CMake wrapper around the QScintilla source. The wrapper was missing the Lexilla bindings, leaving every QScintilla lexer class as a runtime no-op stub. Opening a .md, .sql, or .json file produced no highlighting at all.
Fix: The Windows CI now builds QScintilla 2.14.1 from Riverbank Computing's official source via qmake + nmake — the same source path that Linux (apt package) and macOS (Homebrew brew install qt@5 + source-built QScintilla) use. The Windows build now also runs the same test_lexers smoke test that Linux and macOS run, which instantiates every QsciLexer used by Notepatra and asserts each one produces non-empty styling. Any future stub-lexer regression on any platform will fail CI loudly with the lexer name.
🪟 Windows: notepatra.exe now has an embedded icon
Problem: v0.1.0 shipped without resources/notepatra.rc and resources/notepatra.ico, so MSVC's resource compiler had nothing to embed. Windows Explorer showed the generic "exe" icon for installed Notepatra.
Fix: Added a multi-resolution notepatra.ico (16/24/32/48/64/128/256) generated from notepatra-256.png, plus a notepatra.rc resource script with IDI_ICON1 ICON directive and full Windows VERSIONINFO (CompanyName, FileDescription, LegalCopyright, ProductVersion). Right-click notepatra.exe → Properties → Details now shows real metadata.
🍎 macOS: Notepatra.app now has an embedded icon
Problem: Same root cause — resources/notepatra.icns didn't exist, so macOS bundled Notepatra.app with the default app icon.
Fix: Generated a proper notepatra.icns with all required Apple icon sizes (16/32/128/256/512/1024) plus retina @2x variants. CMakeLists.txt was already wired to embed it; now it has something to embed.
🐧 Linux: launcher icon now resolves through hicolor theme
Problem: v0.1.0's install.sh set Icon=accessories-text-editor in the desktop entry, so launchers showed a generic editor icon.
Fix: install.sh now downloads the Notepatra PNGs into ~/.local/share/icons/hicolor/<size>x<size>/apps/notepatra.png for sizes 16/32/48/64/128/256 and runs gtk-update-icon-cache. The desktop entry now uses Icon=notepatra which resolves through the hicolor theme search path. Bonus: the desktop entry got GenericName, StartupWMClass, more Categories, more MimeType entries, and Keywords for better launcher search.
📝 JSON files with CRLF line endings were misclassified as JavaScript
Problem: editor.cpp had a CRLF-blind heuristic: trimmed.startsWith("{\n"). On Windows, JSON files almost always have CRLF line endings, so the second character is \r not \n. Every Windows JSON file was being misclassified and falling back to the JavaScript lexer.
Fix: New CRLF-agnostic heuristic. trimmed() already strips \r and \n, so just check whether the first non-whitespace char is { or [ and whether anything quoted appears in the first 200 chars. Works correctly on LF, CRLF, BOM, and indented JSON alike.
📝 CoffeeScript / Diff lexers — minor cleanup
- Empty
#ifdef HAS_LEXER_COFFEESCRIPTblock ineditor.cpphad no body — added the missingQsciLexerCoffeeScriptinstantiation that should have been there. - The
Difflexer was wrapped in#ifdef HAS_LEXER_D(theDlanguage guard) — removed the incorrect wrap.qscilexerdiff.his unconditionally included at the top ofeditor.cpp, so the wrap was both wrong AND preventing Diff highlighting.
Added (since v0.1.0)
🛡️ SECURITY.md + RFC 9116 security.txt
Notepatra now has a documented vulnerability disclosure path:
- SECURITY.md — full policy, threat model, verification guide, what's done and what's honestly not yet
/.well-known/security.txt— RFC 9116 contact + canonical + policy- Private vulnerability reporting via GitHub Security Advisories
🔐 Supply chain hardening for releases
Every release artifact (this one and all future) now ships with three independent integrity checks:
- SHA-256 checksums —
SHA256SUMSfile alongside the binaries.install.shandinstall.ps1verify automatically and refuse to install on mismatch. - Cosign signatures — keyless OIDC signing via Sigstore, certs recorded in the public Rekor transparency log. Verifies that the binary was built by the official
singhpratech/notepatraGitHub Actions workflow. - SLSA build provenance —
actions/attest-build-provenancecryptographically links each binary to the git commit + workflow file + runner that built it. Verify withgh attestation verify.
✅ Lexer smoke test in CI on every platform
test_lexers.cpp instantiates every QsciLexer used by Notepatra (21 of them), feeds each a sample document, runs the lexer, and asserts it produces ≥2 distinct styles. Stub lexers fail the test by name. Runs on Linux, macOS Apple Silicon, and Windows in every CI run.
✅ Windows runtime smoke test in CI
notepatra.exe --version actually runs in the Windows CI job after windeployqt + QScintilla DLL bundling. If any DLL is missing or wrong, the build fails before publishing.
🔍 CodeQL static analysis
New .github/workflows/codeql.yml runs CodeQL on the C++ source on every PR + weekly cron with the security-extended and security-and-quality query packs.
🤖 Dependabot
Weekly scans of /rust-core (cargo) and /.github/workflows/ (github-actions) for security and version updates.
🪪 Plain-English warranty disclaimer
The GPL-3.0 LICENSE file already had §15 (Disclaimer of Warranty) and §16 (Limitation of Liability) — the README and website footer now also surface them in plain English so users actually see them.
📜 Version history on the website
Notepatra.org has a new "Versions" section listing every release with dated highlights, just like Notepad++. Append-only — every future release adds a card.
Verifying this release
# Quick: verify SHA-256
sha256sum -c SHA256SUMS --ignore-missing
# Better: verify Sigstore signature
cosign verify-blob \
--certificate-identity-regexp '^https://github.com/singhpratech/notepatra/' \
--certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
--certificate notepatra-linux-x64.tar.gz.pem \
--signature notepatra-linux-x64.tar.gz.sig \
notepatra-linux-x64.tar.gz
# Best: verify SLSA build provenance
gh attestation verify notepatra-linux-x64.tar.gz --owner singhpratechFull guide in SECURITY.md.
Upgrading from v0.1.0
Re-run the same install command — install.sh / install.ps1 will fetch v0.1.1 and verify the SHA-256 before extracting.
# Linux / macOS
curl -fsSL https://notepatra.org/install.sh | sh
# Windows PowerShell
irm https://notepatra.org/install.ps1 | iexYour settings, sessions, plugins, and recovery files are untouched.
Credits
Envisioned by Prateek Singh. Built by Claude.
GPL-3.0. No warranty (see LICENSE §15/§16).