fix(audits): outdated B6DC status code ranges

DoctorJohn · DoctorJohn · commit f6881271cc25 · 2025-06-25T17:39:25.000+02:00
Relevant section for status codes 2xx and 5xx: 6.4.1 application/json https://graphql.github.io/graphql-over-http/draft/#sel-FANNLVCCBCIsB7xT Relevant section for Status code 400: 6.4.1.1.1 JSON parsing failure https://graphql.github.io/graphql-over-http/draft/#sec-application-json.Examples.JSON-parsing-failure
diff --git a/src/audits/server.ts b/src/audits/server.ts
@@ -560,16 +560,21 @@ export function serverAudits(opts: ServerAuditOptions): Audit[] {
     ),
     audit(
       'B6DC',
-      'MAY use 4xx or 5xx status codes on JSON parsing failure',
+      'MAY use 2xx, 400, or 5xx status codes on JSON parsing failure when accepting application/json',
       async () => {
         const res = await fetchFn(await getUrl(opts.url), {
           method: 'POST',
           headers: {
             'content-type': 'application/json',
+            accept: 'application/json',
           },
           body: '{ "not a JSON',
         });
-        ressert(res).status.toBeBetween(400, 499);
+        ressert(res).status.toBeBetweenMultiple([
+          [200, 299],
+          [400, 400],
+          [500, 599],
+        ]);
       },
     ),
     audit(
diff --git a/src/audits/utils.ts b/src/audits/utils.ts
@@ -99,6 +99,19 @@ export function ressert(res: Response) {
           );
         }
       },
+      toBeBetweenMultiple: (ranges: Array<[number, number]>) => {
+        const isInRange = ranges.some(
+          ([min, max]) => min <= res.status && res.status <= max,
+        );
+        if (!isInRange) {
+          throw new AuditError(
+            res,
+            `Response status is not between any of the provided ranges: ${ranges
+              .map(([min, max]) => `[${min}, ${max}]`)
+              .join(', ')}`,
+          );
+        }
+      },
     },
     header(key: 'content-type') {
       return {
diff --git a/tests/__snapshots__/audits.test.ts.snap b/tests/__snapshots__/audits.test.ts.snap
@@ -188,7 +188,7 @@ exports[`should not change globally unique audit ids 1`] = `
   },
   {
     "id": "B6DC",
-    "name": "MAY use 4xx or 5xx status codes on JSON parsing failure",
+    "name": "MAY use 2xx, 400, or 5xx status codes on JSON parsing failure when accepting application/json",
   },
   {
     "id": "BCF8",

Original file line number	Diff line number	Diff line change
@@ -188,7 +188,7 @@ exports[`should not change globally unique audit ids 1`] = `
`188`	`188`	`},`
`189`	`189`	`{`
`190`	`190`	`"id": "B6DC",`
`191`		`- "name": "MAY use 4xx or 5xx status codes on JSON parsing failure",`
	`191`	`+ "name": "MAY use 2xx, 400, or 5xx status codes on JSON parsing failure when accepting application/json",`
`192`	`192`	`},`
`193`	`193`	`{`
`194`	`194`	`"id": "BCF8",`