At least JS code in a browser is sandboxed. A Notepad++ update is just rawdogging an executable on your bare metal, perhaps with admin privs even, and hoping for the best.