* Use file name whitelist to prevent RCE

Use a whitelist to validate user-provided file names. This doesn't cover
the entire range of valid filenames but should cover almost all of them
in practice. Allows letters, numbers, periods, dashes, and underscores.
Opting to use a whitelist instead of a blacklist because getting this
wrong leaves us vulnerable to a RCE attack.

* Allow alphabet characters from all languages

Updated the whitelist to /^[\p{L}0-9/.\-_]+$/u, which matches
alphanumeric characters, periods, dashes, and underscores. Unicode
property support is stage 4 so I've inlined the transpiled version.

* Only use file name whitelist on Windows

* Log error message if file name does not pass whitelist

* add react-testing-library documentation/examples

* make react-testing-library a heading

* fix typo

 - react-dev-utils@5.0.1
 - react-scripts@1.1.4

 - react-scripts@1.1.3

 - react-scripts@1.1.2

Add troubleshooting for an issue that has to do with either 2FA, or using Windows, or both, when trying to deploy an app via gh-pages

Support for .mjs files added in #3239 did not account for npm libraries which ship native mjs files alongside js files. This accounts for this by ensuring .js files resolve before their accompanying .mjs file. Note that this is not an ideal end state since selecting a .mjs over a .js extension should be the result of whether `import` was used instead of `require()` in a node environment with native ESM support (currently via `--experimental-modules`). Instead, this change just *always* selects a .js extension before the .mjs extension if it exists.

This unbreaks support for using GraphQL (relay, apollo, etc) within create-react-app projects.

 - create-react-app@1.5.2
 - react-scripts@1.1.1

This reverts commit bab2c295.

I meant to apply it to `next` instead.

Update User Guide's README.md to include `json` and `css`
files in the command to format the entire project for the first time
with prettier, that it's consistent with the `lint-staged` command.

See #3837

 - babel-preset-react-app@3.1.1
 - create-react-app@1.5.0
 - eslint-config-react-app@2.1.0
 - react-dev-utils@5.0.0
 - react-error-overlay@4.0.0
 - react-scripts@1.1.0

* Test Node 9 on CI

* Oops

* Add warning when HOST environment variable is set (#3719)

* Improve HOST environment variable warning message

* Adjust text and message

Closes #3719

* Always include destructuring transform

* Fix lint

* Bump detect-port-alt

* Bump again

All FB open source projects including this one enforce [our code of conduct](https://code.facebook.com/pages/876921332402685/open-source-code-of-conduct), but I just realized we haven't explicitly linked to it from a Markdown file. So I'm doing just that.

* This is a good default.
Adds approx 4 seconds to install time, but can save some headaches.

* Add no lockfile for add, too