This is where package managers shine. You never know if there are vulns in the update servers, and you don't know if they even bother with checksums. I never trust apps that self-update for exactly this reason. Turn that shit off and do
choco update notepadplusplus
or
winget upgrade Notepad++.Notepad++
Of course, this does nothing for bugs in the code.