diff --git a/README.md b/README.md index e0d05d1f..5a6a00dd 100644 --- a/README.md +++ b/README.md @@ -733,9 +733,9 @@ If you want a feature-full server with bleeding edge technologies, you're recomm | ------------------------------------------------------------------ | ------------------------------------------------------------------ | | [graphql-yoga](https://www.the-guild.dev/graphql/yoga-server) | [✅ Fully compliant](/implementations/graphql-yoga/README.md) | | [hotchocolate](https://chillicream.com/docs/hotchocolate) | [✅ Fully compliant](/implementations/hotchocolate/README.md) | +| [apollo-server](https://www.apollographql.com/docs/apollo-server/) | [✅ Partially compliant](/implementations/apollo-server/README.md) | | [mercurius](https://mercurius.dev) | [✅ Partially compliant](/implementations/mercurius/README.md) | -| [graphql-helix](https://www.graphql-helix.com/) | [✅ Partially compliant](/implementations/graphql-helix/README.md) | -| [apollo-server](https://www.apollographql.com/docs/apollo-server/) | [⚠️ Not compliant](/implementations/apollo-server/README.md) | +| [graphql-helix](https://www.graphql-helix.com/) | [⚠️ Not compliant](/implementations/graphql-helix/README.md) | ## [Documentation](docs/) diff --git a/implementations/apollo-server/README.md b/implementations/apollo-server/README.md index 3214c561..03a3c97c 100644 --- a/implementations/apollo-server/README.md +++ b/implementations/apollo-server/README.md @@ -3,61 +3,63 @@ _* This report was auto-generated by graphql-http_ # GraphQL over HTTP audit report - **73** audits in total -- ✅ **32** pass -- ⚠️ **37** warnings (optional) -- ❌ **4** errors (required) +- ✅ **35** pass +- ⚠️ **38** warnings (optional) ## Passing -1. MUST accept utf-8 encoding -2. MUST assume utf-8 if encoding is unspecified -3. MUST accept POST requests -4. SHOULD respond with 4xx status code if content-type is not supplied on POST requests -5. MUST accept application/json POST requests -6. MUST require a request body on POST -7. SHOULD use 400 status code on missing {query} parameter when accepting application/graphql-response+json -8. SHOULD use 400 status code on object {query} parameter when accepting application/graphql-response+json -9. SHOULD use 400 status code on number {query} parameter when accepting application/graphql-response+json -10. SHOULD use 400 status code on boolean {query} parameter when accepting application/graphql-response+json -11. SHOULD use 400 status code on array {query} parameter when accepting application/graphql-response+json -12. SHOULD allow string {query} parameter when accepting application/graphql-response+json -13. MUST allow string {query} parameter when accepting application/json -14. SHOULD allow string {operationName} parameter when accepting application/graphql-response+json -15. MUST allow string {operationName} parameter when accepting application/json -16. SHOULD use 400 status code on string {variables} parameter when accepting application/graphql-response+json -17. SHOULD allow map {variables} parameter when accepting application/graphql-response+json -18. MUST allow map {variables} parameter when accepting application/json -19. SHOULD use 400 status code on string {extensions} parameter when accepting application/graphql-response+json -20. SHOULD allow map {extensions} parameter when accepting application/graphql-response+json -21. MUST allow map {extensions} parameter when accepting application/json -22. SHOULD use 4xx or 5xx status codes on JSON parsing failure when accepting application/graphql-response+json -23. SHOULD use 400 status code on JSON parsing failure when accepting application/graphql-response+json -24. SHOULD use 4xx or 5xx status codes if parameters are invalid when accepting application/graphql-response+json -25. SHOULD use 400 status code if parameters are invalid when accepting application/graphql-response+json -26. SHOULD not contain the data entry if parameters are invalid when accepting application/graphql-response+json -27. SHOULD use 4xx or 5xx status codes on document parsing failure when accepting application/graphql-response+json -28. SHOULD use 400 status code on document parsing failure when accepting application/graphql-response+json -29. SHOULD not contain the data entry on document parsing failure when accepting application/graphql-response+json -30. SHOULD use 4xx or 5xx status codes on document validation failure when accepting application/graphql-response+json -31. SHOULD use 400 status code on document validation failure when accepting application/graphql-response+json -32. SHOULD not contain the data entry on document validation failure when accepting application/graphql-response+json +1. SHOULD accept application/graphql-response+json and match the content-type +2. MUST accept application/json and match the content-type +3. MUST use utf-8 encoding when responding +4. MUST accept utf-8 encoding +5. MUST assume utf-8 if encoding is unspecified +6. MUST accept POST requests +7. SHOULD respond with 4xx status code if content-type is not supplied on POST requests +8. MUST accept application/json POST requests +9. MUST require a request body on POST +10. SHOULD use 400 status code on missing {query} parameter when accepting application/graphql-response+json +11. SHOULD use 400 status code on object {query} parameter when accepting application/graphql-response+json +12. SHOULD use 400 status code on number {query} parameter when accepting application/graphql-response+json +13. SHOULD use 400 status code on boolean {query} parameter when accepting application/graphql-response+json +14. SHOULD use 400 status code on array {query} parameter when accepting application/graphql-response+json +15. SHOULD allow string {query} parameter when accepting application/graphql-response+json +16. MUST allow string {query} parameter when accepting application/json +17. SHOULD allow string {operationName} parameter when accepting application/graphql-response+json +18. MUST allow string {operationName} parameter when accepting application/json +19. SHOULD use 400 status code on string {variables} parameter when accepting application/graphql-response+json +20. SHOULD allow map {variables} parameter when accepting application/graphql-response+json +21. MUST allow map {variables} parameter when accepting application/json +22. SHOULD use 400 status code on string {extensions} parameter when accepting application/graphql-response+json +23. SHOULD allow map {extensions} parameter when accepting application/graphql-response+json +24. MUST allow map {extensions} parameter when accepting application/json +25. SHOULD use 4xx or 5xx status codes on JSON parsing failure when accepting application/graphql-response+json +26. SHOULD use 400 status code on JSON parsing failure when accepting application/graphql-response+json +27. SHOULD use 4xx or 5xx status codes if parameters are invalid when accepting application/graphql-response+json +28. SHOULD use 400 status code if parameters are invalid when accepting application/graphql-response+json +29. SHOULD not contain the data entry if parameters are invalid when accepting application/graphql-response+json +30. SHOULD use 4xx or 5xx status codes on document parsing failure when accepting application/graphql-response+json +31. SHOULD use 400 status code on document parsing failure when accepting application/graphql-response+json +32. SHOULD not contain the data entry on document parsing failure when accepting application/graphql-response+json +33. SHOULD use 4xx or 5xx status codes on document validation failure when accepting application/graphql-response+json +34. SHOULD use 400 status code on document validation failure when accepting application/graphql-response+json +35. SHOULD not contain the data entry on document validation failure when accepting application/graphql-response+json ## Warnings The server _SHOULD_ support these, but is not required. -1. SHOULD accept application/graphql-response+json and match the content-type
+1. SHOULD accept \*/\* and use application/graphql-response+json for the content-type
``` -Status code 400 is not 200 +Content-Type header "application/json; charset=utf-8" does not contain "application/graphql-response+json" ``` -2. SHOULD accept \*/\* and use application/graphql-response+json for the content-type
+2. SHOULD assume application/graphql-response+json content-type when accept is missing
``` -Status code 400 is not 200 +Content-Type header "application/json; charset=utf-8" does not contain "application/graphql-response+json" ``` -3. SHOULD assume application/graphql-response+json content-type when accept is missing
+3. MAY accept application/x-www-form-urlencoded formatted GET requests
``` Status code 400 is not 200 ``` -4. MAY accept application/x-www-form-urlencoded formatted GET requests
+4. MAY NOT allow executing mutations on GET requests
``` -Status code 400 is not 200 +Status code 400 is not 405 ``` 5. SHOULD use 200 status code with errors field on missing {query} parameter when accepting application/json
``` @@ -139,74 +141,60 @@ Execution result {"data":{"__typename":"Query"}} does not have a property 'error ``` Execution result {"data":{"__typename":"Query"}} does not have a property 'errors' ``` -25. SHOULD allow URL-encoded JSON string {variables} parameter in GETs when accepting application/graphql-response+json
+25. MAY allow URL-encoded JSON string {variables} parameter in GETs when accepting application/graphql-response+json
+``` +Status code 400 is not 200 +``` +26. MAY allow URL-encoded JSON string {variables} parameter in GETs when accepting application/json
``` Status code 400 is not 200 ``` -26. SHOULD use 400 status code on number {extensions} parameter when accepting application/graphql-response+json
+27. SHOULD use 400 status code on number {extensions} parameter when accepting application/graphql-response+json
``` Status code 200 is not 400 ``` -27. SHOULD use 400 status code on boolean {extensions} parameter when accepting application/graphql-response+json
+28. SHOULD use 400 status code on boolean {extensions} parameter when accepting application/graphql-response+json
``` Status code 200 is not 400 ``` -28. SHOULD use 400 status code on array {extensions} parameter when accepting application/graphql-response+json
+29. SHOULD use 400 status code on array {extensions} parameter when accepting application/graphql-response+json
``` Status code 200 is not 400 ``` -29. SHOULD use 200 status code with errors field on string {extensions} parameter when accepting application/json
+30. SHOULD use 200 status code with errors field on string {extensions} parameter when accepting application/json
``` Status code 400 is not 200 ``` -30. SHOULD use 200 status code with errors field on number {extensions} parameter when accepting application/json
+31. SHOULD use 200 status code with errors field on number {extensions} parameter when accepting application/json
``` Execution result {"data":{"__typename":"Query"}} does not have a property 'errors' ``` -31. SHOULD use 200 status code with errors field on boolean {extensions} parameter when accepting application/json
+32. SHOULD use 200 status code with errors field on boolean {extensions} parameter when accepting application/json
``` Execution result {"data":{"__typename":"Query"}} does not have a property 'errors' ``` -32. SHOULD use 200 status code with errors field on array {extensions} parameter when accepting application/json
+33. SHOULD use 200 status code with errors field on array {extensions} parameter when accepting application/json
``` Execution result {"data":{"__typename":"Query"}} does not have a property 'errors' ``` -33. SHOULD use 200 status code on JSON parsing failure when accepting application/json
+34. SHOULD use 200 status code on JSON parsing failure when accepting application/json
``` Status code 400 is not 200 ``` -34. SHOULD use 200 status code if parameters are invalid when accepting application/json
+35. SHOULD use 200 status code if parameters are invalid when accepting application/json
``` Status code 400 is not 200 ``` -35. SHOULD use 200 status code on document parsing failure when accepting application/json
+36. SHOULD use 200 status code on document parsing failure when accepting application/json
``` Status code 400 is not 200 ``` -36. SHOULD use 200 status code on document validation failure when accepting application/json
+37. SHOULD use 200 status code on document validation failure when accepting application/json
``` Status code 400 is not 200 ``` -37. SHOULD not contain the data entry on JSON parsing failure when accepting application/graphql-response+json
+38. SHOULD not contain the data entry on JSON parsing failure when accepting application/graphql-response+json
``` Response body is not valid JSON. Got "\n\n\n\nError\n\n\n
SyntaxError: Unexpected end of JSON input
    at JSON.parse (<anonymous>)
    at parse (/home/runner/work/graphql-http/graphql-http/node_modules/body-parser/lib/types/json.js:89:19)
    at /home/runner/work/graphql-http/graphql-http/node_modules/body-parser/lib/read.js:128:18
    at AsyncResource.runInAsyncScope (node:async_hooks:203:9)
    at invokeCallback (/home/runner/work/graphql-http/graphql-http/node_modules/raw-body/index.js:231:16)
    at done (/home/runner/work/graphql-http/graphql-http/node_modules/raw-body/index.js:220:7)
    at IncomingMessage.onEnd (/home/runner/work/graphql-http/graphql-http/node_modules/raw-body/index.js:280:7)
    at IncomingMessage.emit (node:events:513:28)
    at endReadableNT (node:internal/streams/rea...
 ```
 
-## Errors
-The server _MUST_ support these.
-1. MUST accept application/json and match the content-type

-```
-Status code 400 is not 200
-```
-2. MUST use utf-8 encoding when responding

-```
-Status code 400 is not 200
-```
-3. MUST NOT allow executing mutations on GET requests

-```
-Status code 400 is not 405
-```
-4. MUST allow URL-encoded JSON string {variables} parameter in GETs when accepting application/json

-```
-Status code 400 is not 200
-```
diff --git a/implementations/express-graphql/README.md b/implementations/express-graphql/README.md
index 19bc0bcb..ecd5d58c 100644
--- a/implementations/express-graphql/README.md
+++ b/implementations/express-graphql/README.md
@@ -3,47 +3,48 @@ _* This report was auto-generated by graphql-http_
 # GraphQL over HTTP audit report
 
 - **73** audits in total
-- ✅ **36** pass
+- ✅ **38** pass
 - ⚠️ **35** warnings (optional)
-- ❌ **2** errors (required)
 
 ## Passing
 1. MUST accept application/json and match the content-type
 2. MUST use utf-8 encoding when responding
-3. MUST accept POST requests
-4. MAY accept application/x-www-form-urlencoded formatted GET requests
-5. MUST NOT allow executing mutations on GET requests
-6. SHOULD respond with 4xx status code if content-type is not supplied on POST requests
-7. MUST accept application/json POST requests
-8. MUST require a request body on POST
-9. SHOULD use 400 status code on missing {query} parameter when accepting application/graphql-response+json
-10. SHOULD use 400 status code on object {query} parameter when accepting application/graphql-response+json
-11. SHOULD use 400 status code on number {query} parameter when accepting application/graphql-response+json
-12. SHOULD use 400 status code on boolean {query} parameter when accepting application/graphql-response+json
-13. SHOULD use 400 status code on array {query} parameter when accepting application/graphql-response+json
-14. SHOULD allow string {query} parameter when accepting application/graphql-response+json
-15. MUST allow string {query} parameter when accepting application/json
-16. SHOULD allow string {operationName} parameter when accepting application/graphql-response+json
-17. MUST allow string {operationName} parameter when accepting application/json
-18. SHOULD use 400 status code on string {variables} parameter when accepting application/graphql-response+json
-19. SHOULD allow map {variables} parameter when accepting application/graphql-response+json
-20. MUST allow map {variables} parameter when accepting application/json
-21. SHOULD allow URL-encoded JSON string {variables} parameter in GETs when accepting application/graphql-response+json
-22. MUST allow URL-encoded JSON string {variables} parameter in GETs when accepting application/json
-23. SHOULD allow map {extensions} parameter when accepting application/graphql-response+json
-24. MUST allow map {extensions} parameter when accepting application/json
-25. SHOULD use 4xx or 5xx status codes on JSON parsing failure when accepting application/graphql-response+json
-26. SHOULD use 400 status code on JSON parsing failure when accepting application/graphql-response+json
-27. SHOULD not contain the data entry on JSON parsing failure when accepting application/graphql-response+json
-28. SHOULD use 4xx or 5xx status codes if parameters are invalid when accepting application/graphql-response+json
-29. SHOULD use 400 status code if parameters are invalid when accepting application/graphql-response+json
-30. SHOULD not contain the data entry if parameters are invalid when accepting application/graphql-response+json
-31. SHOULD use 4xx or 5xx status codes on document parsing failure when accepting application/graphql-response+json
-32. SHOULD use 400 status code on document parsing failure when accepting application/graphql-response+json
-33. SHOULD not contain the data entry on document parsing failure when accepting application/graphql-response+json
-34. SHOULD use 4xx or 5xx status codes on document validation failure when accepting application/graphql-response+json
-35. SHOULD use 400 status code on document validation failure when accepting application/graphql-response+json
-36. SHOULD not contain the data entry on document validation failure when accepting application/graphql-response+json
+3. MUST accept utf-8 encoding
+4. MUST assume utf-8 if encoding is unspecified
+5. MUST accept POST requests
+6. MAY accept application/x-www-form-urlencoded formatted GET requests
+7. MAY NOT allow executing mutations on GET requests
+8. SHOULD respond with 4xx status code if content-type is not supplied on POST requests
+9. MUST accept application/json POST requests
+10. MUST require a request body on POST
+11. SHOULD use 400 status code on missing {query} parameter when accepting application/graphql-response+json
+12. SHOULD use 400 status code on object {query} parameter when accepting application/graphql-response+json
+13. SHOULD use 400 status code on number {query} parameter when accepting application/graphql-response+json
+14. SHOULD use 400 status code on boolean {query} parameter when accepting application/graphql-response+json
+15. SHOULD use 400 status code on array {query} parameter when accepting application/graphql-response+json
+16. SHOULD allow string {query} parameter when accepting application/graphql-response+json
+17. MUST allow string {query} parameter when accepting application/json
+18. SHOULD allow string {operationName} parameter when accepting application/graphql-response+json
+19. MUST allow string {operationName} parameter when accepting application/json
+20. SHOULD use 400 status code on string {variables} parameter when accepting application/graphql-response+json
+21. SHOULD allow map {variables} parameter when accepting application/graphql-response+json
+22. MUST allow map {variables} parameter when accepting application/json
+23. MAY allow URL-encoded JSON string {variables} parameter in GETs when accepting application/graphql-response+json
+24. MAY allow URL-encoded JSON string {variables} parameter in GETs when accepting application/json
+25. SHOULD allow map {extensions} parameter when accepting application/graphql-response+json
+26. MUST allow map {extensions} parameter when accepting application/json
+27. SHOULD use 4xx or 5xx status codes on JSON parsing failure when accepting application/graphql-response+json
+28. SHOULD use 400 status code on JSON parsing failure when accepting application/graphql-response+json
+29. SHOULD not contain the data entry on JSON parsing failure when accepting application/graphql-response+json
+30. SHOULD use 4xx or 5xx status codes if parameters are invalid when accepting application/graphql-response+json
+31. SHOULD use 400 status code if parameters are invalid when accepting application/graphql-response+json
+32. SHOULD not contain the data entry if parameters are invalid when accepting application/graphql-response+json
+33. SHOULD use 4xx or 5xx status codes on document parsing failure when accepting application/graphql-response+json
+34. SHOULD use 400 status code on document parsing failure when accepting application/graphql-response+json
+35. SHOULD not contain the data entry on document parsing failure when accepting application/graphql-response+json
+36. SHOULD use 4xx or 5xx status codes on document validation failure when accepting application/graphql-response+json
+37. SHOULD use 400 status code on document validation failure when accepting application/graphql-response+json
+38. SHOULD not contain the data entry on document validation failure when accepting application/graphql-response+json
 
 ## Warnings
 The server _SHOULD_ support these, but is not required.
@@ -188,13 +189,3 @@ Status code 400 is not 200
 Status code 400 is not 200
 ```
 
-## Errors
-The server _MUST_ support these.
-1. MUST accept utf-8 encoding

-```
-Status code 400 is not 200
-```
-2. MUST assume utf-8 if encoding is unspecified

-```
-Status code 400 is not 200
-```
diff --git a/implementations/graph-client/README.md b/implementations/graph-client/README.md
index e165d9ba..7bbb51e5 100644
--- a/implementations/graph-client/README.md
+++ b/implementations/graph-client/README.md
@@ -15,7 +15,7 @@ _* This report was auto-generated by graphql-http_
 7. MUST assume utf-8 if encoding is unspecified
 8. MUST accept POST requests
 9. MAY accept application/x-www-form-urlencoded formatted GET requests
-10. MUST NOT allow executing mutations on GET requests
+10. MAY NOT allow executing mutations on GET requests
 11. SHOULD respond with 4xx status code if content-type is not supplied on POST requests
 12. MUST accept application/json POST requests
 13. MUST require a request body on POST
@@ -51,8 +51,8 @@ _* This report was auto-generated by graphql-http_
 43. SHOULD use 200 status code with errors field on array {variables} parameter when accepting application/json
 44. SHOULD allow map {variables} parameter when accepting application/graphql-response+json
 45. MUST allow map {variables} parameter when accepting application/json
-46. SHOULD allow URL-encoded JSON string {variables} parameter in GETs when accepting application/graphql-response+json
-47. MUST allow URL-encoded JSON string {variables} parameter in GETs when accepting application/json
+46. MAY allow URL-encoded JSON string {variables} parameter in GETs when accepting application/graphql-response+json
+47. MAY allow URL-encoded JSON string {variables} parameter in GETs when accepting application/json
 48. SHOULD use 400 status code on string {extensions} parameter when accepting application/graphql-response+json
 49. SHOULD use 400 status code on number {extensions} parameter when accepting application/graphql-response+json
 50. SHOULD use 400 status code on boolean {extensions} parameter when accepting application/graphql-response+json
diff --git a/implementations/graphql-helix/README.md b/implementations/graphql-helix/README.md
index d1bd501a..da1c67dd 100644
--- a/implementations/graphql-helix/README.md
+++ b/implementations/graphql-helix/README.md
@@ -12,7 +12,7 @@ _* This report was auto-generated by graphql-http_
 2. MUST use utf-8 encoding when responding
 3. MUST accept POST requests
 4. MAY accept application/x-www-form-urlencoded formatted GET requests
-5. MUST NOT allow executing mutations on GET requests
+5. MAY NOT allow executing mutations on GET requests
 6. SHOULD respond with 4xx status code if content-type is not supplied on POST requests
 7. MUST accept application/json POST requests
 8. MUST require a request body on POST
@@ -32,8 +32,8 @@ _* This report was auto-generated by graphql-http_
 22. SHOULD use 400 status code on string {variables} parameter when accepting application/graphql-response+json
 23. SHOULD allow map {variables} parameter when accepting application/graphql-response+json
 24. MUST allow map {variables} parameter when accepting application/json
-25. SHOULD allow URL-encoded JSON string {variables} parameter in GETs when accepting application/graphql-response+json
-26. MUST allow URL-encoded JSON string {variables} parameter in GETs when accepting application/json
+25. MAY allow URL-encoded JSON string {variables} parameter in GETs when accepting application/graphql-response+json
+26. MAY allow URL-encoded JSON string {variables} parameter in GETs when accepting application/json
 27. SHOULD allow map {extensions} parameter when accepting application/graphql-response+json
 28. MUST allow map {extensions} parameter when accepting application/json
 29. SHOULD use 4xx or 5xx status codes on JSON parsing failure when accepting application/graphql-response+json
diff --git a/implementations/graphql-yoga/README.md b/implementations/graphql-yoga/README.md
index e165d9ba..7bbb51e5 100644
--- a/implementations/graphql-yoga/README.md
+++ b/implementations/graphql-yoga/README.md
@@ -15,7 +15,7 @@ _* This report was auto-generated by graphql-http_
 7. MUST assume utf-8 if encoding is unspecified
 8. MUST accept POST requests
 9. MAY accept application/x-www-form-urlencoded formatted GET requests
-10. MUST NOT allow executing mutations on GET requests
+10. MAY NOT allow executing mutations on GET requests
 11. SHOULD respond with 4xx status code if content-type is not supplied on POST requests
 12. MUST accept application/json POST requests
 13. MUST require a request body on POST
@@ -51,8 +51,8 @@ _* This report was auto-generated by graphql-http_
 43. SHOULD use 200 status code with errors field on array {variables} parameter when accepting application/json
 44. SHOULD allow map {variables} parameter when accepting application/graphql-response+json
 45. MUST allow map {variables} parameter when accepting application/json
-46. SHOULD allow URL-encoded JSON string {variables} parameter in GETs when accepting application/graphql-response+json
-47. MUST allow URL-encoded JSON string {variables} parameter in GETs when accepting application/json
+46. MAY allow URL-encoded JSON string {variables} parameter in GETs when accepting application/graphql-response+json
+47. MAY allow URL-encoded JSON string {variables} parameter in GETs when accepting application/json
 48. SHOULD use 400 status code on string {extensions} parameter when accepting application/graphql-response+json
 49. SHOULD use 400 status code on number {extensions} parameter when accepting application/graphql-response+json
 50. SHOULD use 400 status code on boolean {extensions} parameter when accepting application/graphql-response+json
diff --git a/implementations/hotchocolate/README.md b/implementations/hotchocolate/README.md
index e165d9ba..7bbb51e5 100644
--- a/implementations/hotchocolate/README.md
+++ b/implementations/hotchocolate/README.md
@@ -15,7 +15,7 @@ _* This report was auto-generated by graphql-http_
 7. MUST assume utf-8 if encoding is unspecified
 8. MUST accept POST requests
 9. MAY accept application/x-www-form-urlencoded formatted GET requests
-10. MUST NOT allow executing mutations on GET requests
+10. MAY NOT allow executing mutations on GET requests
 11. SHOULD respond with 4xx status code if content-type is not supplied on POST requests
 12. MUST accept application/json POST requests
 13. MUST require a request body on POST
@@ -51,8 +51,8 @@ _* This report was auto-generated by graphql-http_
 43. SHOULD use 200 status code with errors field on array {variables} parameter when accepting application/json
 44. SHOULD allow map {variables} parameter when accepting application/graphql-response+json
 45. MUST allow map {variables} parameter when accepting application/json
-46. SHOULD allow URL-encoded JSON string {variables} parameter in GETs when accepting application/graphql-response+json
-47. MUST allow URL-encoded JSON string {variables} parameter in GETs when accepting application/json
+46. MAY allow URL-encoded JSON string {variables} parameter in GETs when accepting application/graphql-response+json
+47. MAY allow URL-encoded JSON string {variables} parameter in GETs when accepting application/json
 48. SHOULD use 400 status code on string {extensions} parameter when accepting application/graphql-response+json
 49. SHOULD use 400 status code on number {extensions} parameter when accepting application/graphql-response+json
 50. SHOULD use 400 status code on boolean {extensions} parameter when accepting application/graphql-response+json
diff --git a/implementations/mercurius/README.md b/implementations/mercurius/README.md
index ca8eec35..02a73300 100644
--- a/implementations/mercurius/README.md
+++ b/implementations/mercurius/README.md
@@ -13,7 +13,7 @@ _* This report was auto-generated by graphql-http_
 4. MUST assume utf-8 if encoding is unspecified
 5. MUST accept POST requests
 6. MAY accept application/x-www-form-urlencoded formatted GET requests
-7. MUST NOT allow executing mutations on GET requests
+7. MAY NOT allow executing mutations on GET requests
 8. SHOULD respond with 4xx status code if content-type is not supplied on POST requests
 9. MUST accept application/json POST requests
 10. MUST require a request body on POST
@@ -34,8 +34,8 @@ _* This report was auto-generated by graphql-http_
 25. SHOULD use 400 status code on array {variables} parameter when accepting application/graphql-response+json
 26. SHOULD allow map {variables} parameter when accepting application/graphql-response+json
 27. MUST allow map {variables} parameter when accepting application/json
-28. SHOULD allow URL-encoded JSON string {variables} parameter in GETs when accepting application/graphql-response+json
-29. MUST allow URL-encoded JSON string {variables} parameter in GETs when accepting application/json
+28. MAY allow URL-encoded JSON string {variables} parameter in GETs when accepting application/graphql-response+json
+29. MAY allow URL-encoded JSON string {variables} parameter in GETs when accepting application/json
 30. SHOULD use 400 status code on string {extensions} parameter when accepting application/graphql-response+json
 31. SHOULD use 400 status code on number {extensions} parameter when accepting application/graphql-response+json
 32. SHOULD use 400 status code on boolean {extensions} parameter when accepting application/graphql-response+json
diff --git a/implementations/thegraph/README.md b/implementations/thegraph/README.md
index 35eeaefc..f67ae83c 100644
--- a/implementations/thegraph/README.md
+++ b/implementations/thegraph/README.md
@@ -4,284 +4,284 @@ _* This report was auto-generated by graphql-http_
 
 - **73** audits in total
 - ✅ **7** pass
-- ⚠️ **53** warnings (optional)
-- ❌ **13** errors (required)
+- ⚠️ **55** warnings (optional)
+- ❌ **11** errors (required)
 
 ## Passing
 1. MAY accept application/x-www-form-urlencoded formatted GET requests
 2. SHOULD respond with 4xx status code if content-type is not supplied on POST requests
-3. SHOULD allow URL-encoded JSON string {variables} parameter in GETs when accepting application/graphql-response+json
-4. SHOULD use 200 status code if parameters are invalid when accepting application/json
-5. SHOULD use 200 status code on document parsing failure when accepting application/json
-6. SHOULD use 200 status code on document validation failure when accepting application/json
-7. SHOULD use 4xx or 5xx status codes on JSON parsing failure when accepting application/graphql-response+json
+3. MAY allow URL-encoded JSON string {variables} parameter in GETs when accepting application/graphql-response+json
+4. SHOULD use 4xx or 5xx status codes on JSON parsing failure when accepting application/graphql-response+json
+5. SHOULD use 4xx or 5xx status codes if parameters are invalid when accepting application/graphql-response+json
+6. SHOULD use 4xx or 5xx status codes on document parsing failure when accepting application/graphql-response+json
+7. SHOULD use 4xx or 5xx status codes on document validation failure when accepting application/graphql-response+json
 
 ## Warnings
 The server _SHOULD_ support these, but is not required.
 1. SHOULD accept application/graphql-response+json and match the content-type

 ```
-Content-Type header "text/html" does not contain "application/graphql-response+json"
+Status code 404 is not 200
 ```
 2. SHOULD accept \*/\* and use application/graphql-response+json for the content-type

 ```
-Content-Type header "text/html" does not contain "application/graphql-response+json"
+Status code 404 is not 200
 ```
 3. SHOULD assume application/graphql-response+json content-type when accept is missing

 ```
-Content-Type header "text/html" does not contain "application/graphql-response+json"
+Status code 404 is not 200
 ```
-4. SHOULD use 400 status code on missing {query} parameter when accepting application/graphql-response+json

+4. MAY NOT allow executing mutations on GET requests

+```
+Status code 200 is not 405
+```
+5. SHOULD use 400 status code on missing {query} parameter when accepting application/graphql-response+json

 ```
 Status code 404 is not 400
 ```
-5. SHOULD use 200 status code with errors field on missing {query} parameter when accepting application/json

+6. SHOULD use 200 status code with errors field on missing {query} parameter when accepting application/json

 ```
 Status code 404 is not 200
 ```
-6. SHOULD use 400 status code on object {query} parameter when accepting application/graphql-response+json

+7. SHOULD use 400 status code on object {query} parameter when accepting application/graphql-response+json

 ```
 Status code 404 is not 400
 ```
-7. SHOULD use 400 status code on number {query} parameter when accepting application/graphql-response+json

+8. SHOULD use 400 status code on number {query} parameter when accepting application/graphql-response+json

 ```
 Status code 404 is not 400
 ```
-8. SHOULD use 400 status code on boolean {query} parameter when accepting application/graphql-response+json

+9. SHOULD use 400 status code on boolean {query} parameter when accepting application/graphql-response+json

 ```
 Status code 404 is not 400
 ```
-9. SHOULD use 400 status code on array {query} parameter when accepting application/graphql-response+json

+10. SHOULD use 400 status code on array {query} parameter when accepting application/graphql-response+json

 ```
 Status code 404 is not 400
 ```
-10. SHOULD use 200 status code with errors field on object {query} parameter when accepting application/json

+11. SHOULD use 200 status code with errors field on object {query} parameter when accepting application/json

 ```
 Status code 404 is not 200
 ```
-11. SHOULD use 200 status code with errors field on number {query} parameter when accepting application/json

+12. SHOULD use 200 status code with errors field on number {query} parameter when accepting application/json

 ```
 Status code 404 is not 200
 ```
-12. SHOULD use 200 status code with errors field on boolean {query} parameter when accepting application/json

+13. SHOULD use 200 status code with errors field on boolean {query} parameter when accepting application/json

 ```
 Status code 404 is not 200
 ```
-13. SHOULD use 200 status code with errors field on array {query} parameter when accepting application/json

+14. SHOULD use 200 status code with errors field on array {query} parameter when accepting application/json

 ```
 Status code 404 is not 200
 ```
-14. SHOULD allow string {query} parameter when accepting application/graphql-response+json

+15. SHOULD allow string {query} parameter when accepting application/graphql-response+json

 ```
 Status code 404 is not 200
 ```
-15. SHOULD use 400 status code on object {operationName} parameter when accepting application/graphql-response+json

+16. SHOULD use 400 status code on object {operationName} parameter when accepting application/graphql-response+json

 ```
 Status code 404 is not 400
 ```
-16. SHOULD use 400 status code on number {operationName} parameter when accepting application/graphql-response+json

+17. SHOULD use 400 status code on number {operationName} parameter when accepting application/graphql-response+json

 ```
 Status code 404 is not 400
 ```
-17. SHOULD use 400 status code on boolean {operationName} parameter when accepting application/graphql-response+json

+18. SHOULD use 400 status code on boolean {operationName} parameter when accepting application/graphql-response+json

 ```
 Status code 404 is not 400
 ```
-18. SHOULD use 400 status code on array {operationName} parameter when accepting application/graphql-response+json

+19. SHOULD use 400 status code on array {operationName} parameter when accepting application/graphql-response+json

 ```
 Status code 404 is not 400
 ```
-19. SHOULD use 200 status code with errors field on object {operationName} parameter when accepting application/json

+20. SHOULD use 200 status code with errors field on object {operationName} parameter when accepting application/json

 ```
 Status code 404 is not 200
 ```
-20. SHOULD use 200 status code with errors field on number {operationName} parameter when accepting application/json

+21. SHOULD use 200 status code with errors field on number {operationName} parameter when accepting application/json

 ```
 Status code 404 is not 200
 ```
-21. SHOULD use 200 status code with errors field on boolean {operationName} parameter when accepting application/json

+22. SHOULD use 200 status code with errors field on boolean {operationName} parameter when accepting application/json

 ```
 Status code 404 is not 200
 ```
-22. SHOULD use 200 status code with errors field on array {operationName} parameter when accepting application/json

+23. SHOULD use 200 status code with errors field on array {operationName} parameter when accepting application/json

 ```
 Status code 404 is not 200
 ```
-23. SHOULD allow string {operationName} parameter when accepting application/graphql-response+json

+24. SHOULD allow string {operationName} parameter when accepting application/graphql-response+json

 ```
 Status code 404 is not 200
 ```
-24. SHOULD use 400 status code on string {variables} parameter when accepting application/graphql-response+json

+25. SHOULD use 400 status code on string {variables} parameter when accepting application/graphql-response+json

 ```
 Status code 404 is not 400
 ```
-25. SHOULD use 400 status code on number {variables} parameter when accepting application/graphql-response+json

+26. SHOULD use 400 status code on number {variables} parameter when accepting application/graphql-response+json

 ```
 Status code 404 is not 400
 ```
-26. SHOULD use 400 status code on boolean {variables} parameter when accepting application/graphql-response+json

+27. SHOULD use 400 status code on boolean {variables} parameter when accepting application/graphql-response+json

 ```
 Status code 404 is not 400
 ```
-27. SHOULD use 400 status code on array {variables} parameter when accepting application/graphql-response+json

+28. SHOULD use 400 status code on array {variables} parameter when accepting application/graphql-response+json

 ```
 Status code 404 is not 400
 ```
-28. SHOULD use 200 status code with errors field on string {variables} parameter when accepting application/json

+29. SHOULD use 200 status code with errors field on string {variables} parameter when accepting application/json

 ```
 Status code 404 is not 200
 ```
-29. SHOULD use 200 status code with errors field on number {variables} parameter when accepting application/json

+30. SHOULD use 200 status code with errors field on number {variables} parameter when accepting application/json

 ```
 Status code 404 is not 200
 ```
-30. SHOULD use 200 status code with errors field on boolean {variables} parameter when accepting application/json

+31. SHOULD use 200 status code with errors field on boolean {variables} parameter when accepting application/json

 ```
 Status code 404 is not 200
 ```
-31. SHOULD use 200 status code with errors field on array {variables} parameter when accepting application/json

+32. SHOULD use 200 status code with errors field on array {variables} parameter when accepting application/json

 ```
 Status code 404 is not 200
 ```
-32. SHOULD allow map {variables} parameter when accepting application/graphql-response+json

+33. SHOULD allow map {variables} parameter when accepting application/graphql-response+json

 ```
 Status code 404 is not 200
 ```
-33. SHOULD use 400 status code on string {extensions} parameter when accepting application/graphql-response+json

+34. MAY allow URL-encoded JSON string {variables} parameter in GETs when accepting application/json

+```
+Response body is not valid JSON. Got "\n\n\n\nThe GraphiQL\n