mdedit Lexandro's App Factory
winget install --id=lexandro.mdedit -e A fast, native Windows Markdown editor for MD files.
winget install --id=lexandro.mdedit -e A fast, native Windows Markdown editor for MD files.
A fast, native Windows Markdown editor built with Tauri 2 (Rust) and Svelte 5. Small binary, native WebView2, no Electron bloat.
The quickest way is winget (built into Windows 10/11):
winget install lexandro.mdedit
Other options:
choco install mdedit (pending first-time moderation).msi or .exe from the latest releaseUpdates arrive through the same channel you installed from — and the app also has a built-in updater (Settings → Check for updates).
Editing
/date, /code, /table…); tab-stop fields and date/time variables with a configurable formatRendering
:shortcode: emoji$…$ and display $$…$$Productivity
Files & UI
> Live mode is a CodeMirror-based inline rendering (Obsidian "Live Preview" > style): the document stays plain Markdown under the hood, so saving, encoding > and sessions are unaffected, and you can switch back to Source/Split anytime.
| Split view | Command palette |
|---|---|
![]() | ![]() |
| Math & diagrams | Settings |
|---|---|
![]() | ![]() |
| Layer | Choice |
|---|---|
| Shell | Tauri 2 (Rust) + WebView2 |
| Frontend | Svelte 5 + SvelteKit (SPA) + Vite + TypeScript |
| Source editor | CodeMirror 6 |
| Rendering | markdown-it + Mermaid + highlight.js, sanitized with DOMPurify |
bun install # install frontend dependencies
bun run tauri dev # launch the app in dev mode (hot reload)
bun run tauri build # produces a native installer + .exe under src-tauri/target/release
Push a vX.Y.Z tag and CI builds signed installers, publishes the GitHub
Release, and submits to winget and Chocolatey. The full maintainer runbook
(signing keys, winget/Chocolatey setup, the in-app updater) is in
docs/RELEASING.md.
Rendered Markdown is untrusted input, so the preview is defended in depth:
markdown-it runs with html: false (raw HTML in the source is escaped).src-tauri/tauri.conf.json → app.security.csp):
script-src 'self' — no inline/injected scripts (Tauri auto-hashes the
app's own bootstrap script); object-src 'none', base-uri 'self'.style-src 'self' 'unsafe-inline' — required because CodeMirror and Mermaid
inject styles at runtime (styles can't execute code, so this is low-risk).img-src also allows https: and data: so remote/inline preview images load.devCsp (adds 'unsafe-inline' 'unsafe-eval' + ws:/http: localhost)
is used only under tauri dev for Vite HMR; it never ships.> The updater's network requests run in Rust (reqwest), so they are not subject
> to the WebView CSP — connect-src only needs ipc:.
> If Mermaid diagrams ever fail to render in a production build with a CSP
> error about eval, add 'wasm-unsafe-eval' (or, as a last resort,
> 'unsafe-eval') to script-src in the production csp. Current Mermaid (v11)
> is expected to work without it.
src/ SvelteKit frontend (UI, editor, preview, stores)
src-tauri/ Rust backend (file I/O commands, window, menu, config)
Planned work and the reasoning behind it live in ROADMAP.md — next up: a visual table editor.