* Use file name whitelist to prevent RCE

Use a whitelist to validate user-provided file names. This doesn't cover
the entire range of valid filenames but should cover almost all of them
in practice. Allows letters, numbers, periods, dashes, and underscores.
Opting to use a whitelist instead of a blacklist because getting this
wrong leaves us vulnerable to a RCE attack.

* Allow alphabet characters from all languages

Updated the whitelist to /^[\p{L}0-9/.\-_]+$/u, which matches
alphanumeric characters, periods, dashes, and underscores. Unicode
property support is stage 4 so I've inlined the transpiled version.

* Only use file name whitelist on Windows

* Log error message if file name does not pass whitelist

* add react-testing-library documentation/examples

* make react-testing-library a heading

* fix typo

 - react-dev-utils@5.0.1
 - react-scripts@1.1.4

 - react-scripts@1.1.3

 - react-scripts@1.1.2

Add troubleshooting for an issue that has to do with either 2FA, or using Windows, or both, when trying to deploy an app via gh-pages

Support for .mjs files added in #3239 did not account for npm libraries which ship native mjs files alongside js files. This accounts for this by ensuring .js files resolve before their accompanying .mjs file. Note that this is not an ideal end state since selecting a .mjs over a .js extension should be the result of whether `import` was used instead of `require()` in a node environment with native ESM support (currently via `--experimental-modules`). Instead, this change just *always* selects a .js extension before the .mjs extension if it exists.

This unbreaks support for using GraphQL (relay, apollo, etc) within create-react-app projects.

 - create-react-app@1.5.2
 - react-scripts@1.1.1

This reverts commit bab2c295.

I meant to apply it to `next` instead.

Update User Guide's README.md to include `json` and `css`
files in the command to format the entire project for the first time
with prettier, that it's consistent with the `lint-staged` command.

See #3837

 - babel-preset-react-app@3.1.1
 - create-react-app@1.5.0
 - eslint-config-react-app@2.1.0
 - react-dev-utils@5.0.0
 - react-error-overlay@4.0.0
 - react-scripts@1.1.0

* Add warning when HOST environment variable is set (#3719)

* Improve HOST environment variable warning message

* Adjust text and message

Closes #3719

* Always include destructuring transform

* Fix lint

* Bump detect-port-alt

* Bump again

* Switch to Yarn Workspaces

* Feedback

* Move flowconfig

* Use publish script

* Keep git status check

* Fix Flow without perf penalty

* Remove Flow from package.json "test"

* Try running it from script directly (?)

* Try magic incantations

* lol flow COME ON

* Try to skip Flow on AppVeyor

* -df

* -df

* -df

* Try to fix CI

* Revert unrelated changes

* Update CONTRIBUTING.md

* add link to deployment docs after build

* Update printHostingInstructions.js

* Use proxy for all request methods other than GET

* Add comment

* Replacing literal 'build' with `buildFolder` variable

* Cleaning up the printHostingInstructions a bit

* Fixing undefined variable

* Extend --scripts-version to include .tar.gz format

* Removal of debug console.log

* added getProxy

getProxy checks proxy settings from process.env.https_proxy or Yarn (NPM) config (.npmrc)

* changed yarn for npm to get https-proxy 

default value for https-proxy is null, not undefined like in yarn

awk splits lines based on spaces, which causes directory names with spaces to end up in other fields. Using a for loop allows us to print from the 9th field onwards instead of just the 9th field.

* fix #2223 - [feature] Implement dotenv-expand to accept variable expansion in dot env files

* add to README TOC

* fix readme

* Update README.md