* Use file name whitelist to prevent RCE
Use a whitelist to validate user-provided file names. This doesn't cover
the entire range of valid filenames but should cover almost all of them
in practice. Allows letters, numbers, periods, dashes, and underscores.
Opting to use a whitelist instead of a blacklist because getting this
wrong leaves us vulnerable to a RCE attack.
* Allow alphabet characters from all languages
Updated the whitelist to /^[\p{L}0-9/.\-_]+$/u, which matches
alphanumeric characters, periods, dashes, and underscores. Unicode
property support is stage 4 so I've inlined the transpiled version.
* Only use file name whitelist on Windows
* Log error message if file name does not pass whitelist
- [x] Utilize webpack 4 development and production modes
- [x] Upgrade webpack dev server
- [x] Webpack 4 compatible release of thread-loader
- [x] Webpack 4 compatible release of HtmlWebpackPlugin
- [x] Webpack 4 compatible release of SwPrecacheWebpackPlugin
- [x] Webpack 4 compatible release of WebpackManifestPlugin
- [x] Update README
- [x] Update WebpackDevServerUtils
- [x] Update InterpolateHtmlPlugin
- [x] Update ModuleScopePlugin
- [x] Update WatchMissingNodeModulesPlugin
- [x] Move UglifyJS options to webpack 4 optimize
- [x] Move InterpolateHtmlPlugin to make it tapable on HtmlWebpackPlugin
- [x] vendor splitting via splitChunks.splitChunks (https://twitter.com/wSokra/status/969633336732905474)
- [x] long term caching via splitChunks.runtimeChunk (https://twitter.com/wSokra/status/969679223278505985)
- [x] Make sure process.env.NODE_ENV is proxied correctly to `react-error-overlay`
- [x] Implicit webpack.NamedModulesPlugin in dev config as its default in webpack 4
- [x] Disable webpack performance hints as we have our own filesize reporter
- [x] Replace ExtractTextPlugin with MiniCssExtractPlugin
- [x] Switch to css whole file minification via OptimizeCSSAssetsPlugin rather than per module css minification to gain performance
* allow appSrc accepting an array
* fixture of finding all appSrcs logic
* update docs on ModuleScopePlugin accepts an array for appSrc
* minor typo fix in docs: change directory to directories.
* Add explicit dep on plugin-proposal-object-rest-spread to babel-preset-react-app
* Bump babel-related deps to beta.42
* Pass useBuiltIns directly to react-preset
* Run yarn after ejecting.
* On eject, choose to run yarn instead of npm if yarn is available.
* Move monorepo to react-dev-utils.
* Fix lint.
* Rename monorepo to workspaceUtils.
* Add react-dev-utils dep for create-react-app.
* getMonorepo -> findMonorepo
* change link to advanced deployment
* Use custom CRA link for deployment
* use custom link for minification failure
* update link for deployment
* feedback
* Offer to set browser defaults
* Catch error on no
* Add ending newlines
* Ensure we re-check to prevent defaults from leaking
* Reduce nesting
* Add defaults message
* More explicit
* Update dependencies in react-scripts
* Add first pass of working dependencies for babel-preset-react-app and react-scripts
* Bump more dependency versions
* Adjust more versions and edit fix options
* Restore functionality of old preset
* Disable Uglify in iframe webpack
* Apply prettier
* Re-enable cache in dev and clean deps
* Lock packages and move babel/core to dep in preset
* Bump babel-jest
* Re-enable uglify
* Nest forceAllTransforms correctly in webpack config
* Install babel-core bridge for jest
* Add jest-cli and babel-core bridge to make tests in react-error-overlay pass
* Re-enable transform-dynamic-import
* Add dynamic import syntax support back
* Use new babel in kitchensink
* Transform modules in test
* Revert "Transform modules in test"
This reverts commit 539e46a1d77259898b7e70d778a5e43fc25edc2a.
* Attempt fix for ejected tests
* try this
* Add regenerator back
* Bump babel deps to beta.34
* Remove bad files
* Use default when requiring babel transform plugin
* Bump deps
* Try the fix?
* Oopsie
* Remove some weird things
* Run Babel on react-error-overlay tests
* Try fixing kitchensink
* Use new API for codeFrame
* Add missing (?) babelrc
* Maybe this helps?
* Maybe fix mocha
* I shouldn't have deleted this 🤦
* update jest to 21.0.2 to support watchPathIgnorePatterns configuration
* update jest to 21.1.0
* Try bumping Jest
* Bump babel-jest
* Try to debug weird CI failure
* Remove debug code
* Bump other Jest packages
* ffs
* temp
* Revert "temp"
This reverts commit 62aec9ac1ae70a995a89548feb7ac7870e5324c0.
awk splits lines based on spaces, which causes directory names with spaces to end up in other fields. Using a for loop allows us to print from the 9th field onwards instead of just the 9th field.
If create-react-app project is ejected and webpack configuration is
modified to multi build setup FileSizeReporter would fail.
In those situations `webpackStats` parameter would contain stats array
for each build. This fix will try to access stats and then falls back
to using plaing webpackStats object.
* Update the string that clears the console.
#1914
I've tested it with Windows 10 and 7, node versions from ~5.0.0 up to 7.7.0.
Didn't managed to test it on 8 but it should be fine.
* Update windows string
Add windows specific string for clearing the console.
* add support to set REACT_EDITOR to none
* change README message
* change condition to avoid problems with editor being null
* move condition to avoid extra code
* Fix path regex match bug
* Use the escape-string-regexp package to escape regex characters
* Remove redundant character escape from path
* Add removed escape of backslashes
