The `formatter` option is incompatible with with `thread-loader`.
The `formatter` option previously accepted a function which was lost during JSON serialization.
* Use file name whitelist to prevent RCE
Use a whitelist to validate user-provided file names. This doesn't cover
the entire range of valid filenames but should cover almost all of them
in practice. Allows letters, numbers, periods, dashes, and underscores.
Opting to use a whitelist instead of a blacklist because getting this
wrong leaves us vulnerable to a RCE attack.
* Allow alphabet characters from all languages
Updated the whitelist to /^[\p{L}0-9/.\-_]+$/u, which matches
alphanumeric characters, periods, dashes, and underscores. Unicode
property support is stage 4 so I've inlined the transpiled version.
* Only use file name whitelist on Windows
* Log error message if file name does not pass whitelist
* support scoped packages for cra --scripts-version option
* seperate out kitchensink test
* add eject to node 6 testing
* travis node 6 eject
* fix CI warnings
To analyze Webpack bundles, a "stats" JSON is required.
This PR allows that file to be created and saved to the `build`
directory, so that users can use it with Webpack-specific insight
tools like `webpack-bundle-analyzer` without ejecting their
application.
Updated the README to include details for how to do this.
* Update paths.js, rename shadow path variable
This file requires the "path" module and sets it to a variable `path`. The function `ensureSlash` also has a variable `path` that then shadows the `path` module.
* Update paths.js
* Removes Chokidar Recursive Flag
According to the changelog it is not necessary anymore as it doesn't do anything.
* Removes initial build on SCSS watch
Chokidar now does this on it's own.
* Removes sass watch recursive, default include-path
as proposed by @michaelwayman
* Removes another left-over build-css
Support for .mjs files added in #3239 did not account for npm libraries which ship native mjs files alongside js files. This accounts for this by ensuring .js files resolve before their accompanying .mjs file. Note that this is not an ideal end state since selecting a .mjs over a .js extension should be the result of whether `import` was used instead of `require()` in a node environment with native ESM support (currently via `--experimental-modules`). Instead, this change just *always* selects a .js extension before the .mjs extension if it exists.
This unbreaks support for using GraphQL (relay, apollo, etc) within create-react-app projects.
