From 5f5532b91c5b50baeaa6c22ad34892920c8b297b Mon Sep 17 00:00:00 2001
From: Denis Badurina <denis@denelop.com>
Date: Thu, 23 Jan 2025 17:01:36 +0100
Subject: [PATCH 1/6] some shoulds are musts

---
 src/audits/server.ts | 27 +++++++++------------------
 1 file changed, 9 insertions(+), 18 deletions(-)

diff --git a/src/audits/server.ts b/src/audits/server.ts
index c3708540..702acc20 100644
--- a/src/audits/server.ts
+++ b/src/audits/server.ts
@@ -40,9 +40,8 @@ export function serverAudits(opts: ServerAuditOptions): Audit[] {
   return [
     // Media Types
     audit(
-      // TODO: convert to MUST after watershed
       '22EB',
-      'SHOULD accept application/graphql-response+json and match the content-type',
+      'MUST accept application/graphql-response+json and match the content-type',
       async () => {
         const res = await fetchFn(await getUrl(opts.url), {
           method: 'POST',
@@ -255,9 +254,8 @@ export function serverAudits(opts: ServerAuditOptions): Audit[] {
       ),
     ),
     audit(
-      // TODO: convert to MUST after watershed
       '34A2',
-      'SHOULD allow string {query} parameter when accepting application/graphql-response+json',
+      'MUST allow string {query} parameter when accepting application/graphql-response+json',
       async () => {
         const res = await fetchFn(await getUrl(opts.url), {
           method: 'POST',
@@ -312,9 +310,8 @@ export function serverAudits(opts: ServerAuditOptions): Audit[] {
       ),
     ),
     audit(
-      // TODO: convert to MUST after watershed
       '8161',
-      'SHOULD allow string {operationName} parameter when accepting application/graphql-response+json',
+      'MUST allow string {operationName} parameter when accepting application/graphql-response+json',
       async () => {
         const res = await fetchFn(await getUrl(opts.url), {
           method: 'POST',
@@ -353,8 +350,7 @@ export function serverAudits(opts: ServerAuditOptions): Audit[] {
       (parameter, index) => [
         audit(
           `94B${index}`,
-          // TODO: convert to MUST after watershed
-          `SHOULD allow null {${parameter}} parameter when accepting application/graphql-response+json`,
+          `MUST allow null {${parameter}} parameter when accepting application/graphql-response+json`,
           async () => {
             const res = await fetchFn(await getUrl(opts.url), {
               method: 'POST',
@@ -418,9 +414,8 @@ export function serverAudits(opts: ServerAuditOptions): Audit[] {
       ),
     ),
     audit(
-      // TODO: convert to MUST after watershed
       '2EA1',
-      'SHOULD allow map {variables} parameter when accepting application/graphql-response+json',
+      'MUST allow map {variables} parameter when accepting application/graphql-response+json',
       async () => {
         const res = await fetchFn(await getUrl(opts.url), {
           method: 'POST',
@@ -499,8 +494,7 @@ export function serverAudits(opts: ServerAuditOptions): Audit[] {
     ...['string', 0, false, ['array']].map((invalid, index) =>
       audit(
         `58B${index}`,
-        // TODO: convert to MUST after watershed
-        `MAY use 400 status code on ${extendedTypeof(
+        `MUST use 400 status code on ${extendedTypeof(
           invalid,
         )} {extensions} parameter`,
         async () => {
@@ -519,9 +513,8 @@ export function serverAudits(opts: ServerAuditOptions): Audit[] {
       ),
     ),
     audit(
-      // TODO: convert to MUST after watershed
       '428F',
-      'SHOULD allow map {extensions} parameter when accepting application/graphql-response+json',
+      'MUST allow map {extensions} parameter when accepting application/graphql-response+json',
       async () => {
         const res = await fetchFn(await getUrl(opts.url), {
           method: 'POST',
@@ -670,9 +663,8 @@ export function serverAudits(opts: ServerAuditOptions): Audit[] {
     ),
     // Response application/graphql-response+json
     audit(
-      // TODO: convert to MUST after watershed
       '865D',
-      'SHOULD use 4xx or 5xx status codes on document parsing failure when accepting application/graphql-response+json',
+      'MUST use 4xx or 5xx status codes on document parsing failure when accepting application/graphql-response+json',
       async () => {
         const res = await fetchFn(await getUrl(opts.url), {
           method: 'POST',
@@ -722,9 +714,8 @@ export function serverAudits(opts: ServerAuditOptions): Audit[] {
       },
     ),
     audit(
-      // TODO: convert to MUST after watershed
       '51FE',
-      'SHOULD use 4xx or 5xx status codes on document validation failure when accepting application/graphql-response+json',
+      'MUST use 4xx or 5xx status codes on document validation failure when accepting application/graphql-response+json',
       async () => {
         const res = await fetchFn(await getUrl(opts.url), {
           method: 'POST',

From e403aae506f6c134f835e566c611b44621c8ab14 Mon Sep 17 00:00:00 2001
From: theguild-bot <bot@the-guild.dev>
Date: Thu, 23 Jan 2025 16:06:13 +0000
Subject: [PATCH 2/6] docs(implementations): audit report

---
 README.md                                   |   4 -
 implementations/apollo-server/README.md     |  28 +-
 implementations/deno/README.md              | 215 ++++++++-------
 implementations/deno/report.json            |   6 +-
 implementations/express-graphql/README.md   | 221 +++++++--------
 implementations/express-graphql/report.json |   6 +-
 implementations/graph-client/README.md      |  28 +-
 implementations/graphql-helix/README.md     | 209 +++++++-------
 implementations/graphql-helix/report.json   |   6 +-
 implementations/graphql-yoga/README.md      |  28 +-
 implementations/hotchocolate/README.md      |  32 +--
 implementations/lighthouse/README.md        | 289 ++++++++++----------
 implementations/lighthouse/report.json      |   6 +-
 implementations/mercurius/README.md         | 122 ++++-----
 implementations/mercurius/report.json       |   4 +-
 implementations/postgraphile/README.md      | 191 ++++++-------
 implementations/postgraphile/report.json    |   6 +-
 implementations/thegraph/README.md          | 116 ++++----
 implementations/thegraph/report.json        |   6 +-
 19 files changed, 772 insertions(+), 751 deletions(-)

diff --git a/README.md b/README.md
index 561e58e3..bbc37aef 100644
--- a/README.md
+++ b/README.md
@@ -890,14 +890,10 @@ Their compliance with the [GraphQL over HTTP spec](https://graphql.github.io/gra
 | Name | Audit |
 |------|-------|
 | [apollo-server](https://www.apollographql.com/docs/apollo-server) | [✅ Compliant](/implementations/apollo-server/README.md) |
-| [deno](https://deno.com/blog/build-a-graphql-server-with-deno) | [✅ Compliant](/implementations/deno/README.md) |
 | [graph-client](https://github.com/graphprotocol/graph-client) | [✅ Compliant](/implementations/graph-client/README.md) |
-| [graphql-helix](https://www.graphql-helix.com) | [✅ Compliant](/implementations/graphql-helix/README.md) |
 | [graphql-yoga](https://www.the-guild.dev/graphql/yoga-server) | [✅ Compliant](/implementations/graphql-yoga/README.md) |
 | [hotchocolate](https://chillicream.com/docs/hotchocolate) | [✅ Compliant](/implementations/hotchocolate/README.md) |
-| [lighthouse](https://lighthouse-php.com) | [✅ Compliant](/implementations/lighthouse/README.md) |
 | [pioneer](https://pioneer.dexclaimation.com) | [✅ Compliant](/implementations/pioneer/README.md) |
-| [postgraphile](https://www.graphile.org/postgraphile) | [✅ Compliant](/implementations/postgraphile/README.md) |
 <!-- prettier-ignore-end -->
 
 <!-- </ServersTable> -->
diff --git a/implementations/apollo-server/README.md b/implementations/apollo-server/README.md
index d267c757..8f4cdacd 100644
--- a/implementations/apollo-server/README.md
+++ b/implementations/apollo-server/README.md
@@ -11,7 +11,7 @@
 
 <h2>Passing</h2>
 <ol>
-<li><code>22EB</code> SHOULD accept application/graphql-response+json and match the content-type</li>
+<li><code>22EB</code> MUST accept application/graphql-response+json and match the content-type</li>
 <li><code>4655</code> MUST accept application/json and match the content-type</li>
 <li><code>47DE</code> SHOULD accept */* and use application/json for the content-type</li>
 <li><code>80D8</code> SHOULD assume application/json content-type when accept is missing</li>
@@ -28,40 +28,40 @@
 <li><code>LKJ1</code> MAY use 400 status code on number {query} parameter</li>
 <li><code>LKJ2</code> MAY use 400 status code on boolean {query} parameter</li>
 <li><code>LKJ3</code> MAY use 400 status code on array {query} parameter</li>
-<li><code>34A2</code> SHOULD allow string {query} parameter when accepting application/graphql-response+json</li>
+<li><code>34A2</code> MUST allow string {query} parameter when accepting application/graphql-response+json</li>
 <li><code>13EE</code> MUST allow string {query} parameter when accepting application/json</li>
 <li><code>6C00</code> MAY use 400 status code on object {operationName} parameter</li>
 <li><code>6C01</code> MAY use 400 status code on number {operationName} parameter</li>
 <li><code>6C02</code> MAY use 400 status code on boolean {operationName} parameter</li>
 <li><code>6C03</code> MAY use 400 status code on array {operationName} parameter</li>
-<li><code>8161</code> SHOULD allow string {operationName} parameter when accepting application/graphql-response+json</li>
+<li><code>8161</code> MUST allow string {operationName} parameter when accepting application/graphql-response+json</li>
 <li><code>B8B3</code> MUST allow string {operationName} parameter when accepting application/json</li>
-<li><code>94B0</code> SHOULD allow null {variables} parameter when accepting application/graphql-response+json</li>
+<li><code>94B0</code> MUST allow null {variables} parameter when accepting application/graphql-response+json</li>
 <li><code>0220</code> MUST allow null {variables} parameter when accepting application/json</li>
-<li><code>94B1</code> SHOULD allow null {operationName} parameter when accepting application/graphql-response+json</li>
+<li><code>94B1</code> MUST allow null {operationName} parameter when accepting application/graphql-response+json</li>
 <li><code>0221</code> MUST allow null {operationName} parameter when accepting application/json</li>
-<li><code>94B2</code> SHOULD allow null {extensions} parameter when accepting application/graphql-response+json</li>
+<li><code>94B2</code> MUST allow null {extensions} parameter when accepting application/graphql-response+json</li>
 <li><code>0222</code> MUST allow null {extensions} parameter when accepting application/json</li>
 <li><code>4760</code> MAY use 400 status code on string {variables} parameter</li>
 <li><code>4761</code> MAY use 400 status code on number {variables} parameter</li>
 <li><code>4762</code> MAY use 400 status code on boolean {variables} parameter</li>
 <li><code>4763</code> MAY use 400 status code on array {variables} parameter</li>
-<li><code>2EA1</code> SHOULD allow map {variables} parameter when accepting application/graphql-response+json</li>
+<li><code>2EA1</code> MUST allow map {variables} parameter when accepting application/graphql-response+json</li>
 <li><code>28B9</code> MUST allow map {variables} parameter when accepting application/json</li>
-<li><code>58B0</code> MAY use 400 status code on string {extensions} parameter</li>
-<li><code>58B1</code> MAY use 400 status code on number {extensions} parameter</li>
-<li><code>58B2</code> MAY use 400 status code on boolean {extensions} parameter</li>
-<li><code>58B3</code> MAY use 400 status code on array {extensions} parameter</li>
-<li><code>428F</code> SHOULD allow map {extensions} parameter when accepting application/graphql-response+json</li>
+<li><code>58B0</code> MUST use 400 status code on string {extensions} parameter</li>
+<li><code>58B1</code> MUST use 400 status code on number {extensions} parameter</li>
+<li><code>58B2</code> MUST use 400 status code on boolean {extensions} parameter</li>
+<li><code>58B3</code> MUST use 400 status code on array {extensions} parameter</li>
+<li><code>428F</code> MUST allow map {extensions} parameter when accepting application/graphql-response+json</li>
 <li><code>1B7A</code> MUST allow map {extensions} parameter when accepting application/json</li>
 <li><code>B6DC</code> MAY use 4xx or 5xx status codes on JSON parsing failure</li>
 <li><code>BCF8</code> MAY use 400 status code on JSON parsing failure</li>
 <li><code>8764</code> MAY use 4xx or 5xx status codes if parameters are invalid</li>
 <li><code>3E3A</code> MAY use 400 status code if parameters are invalid</li>
-<li><code>865D</code> SHOULD use 4xx or 5xx status codes on document parsing failure when accepting application/graphql-response+json</li>
+<li><code>865D</code> MUST use 4xx or 5xx status codes on document parsing failure when accepting application/graphql-response+json</li>
 <li><code>556A</code> SHOULD use 400 status code on document parsing failure when accepting application/graphql-response+json</li>
 <li><code>D586</code> SHOULD not contain the data entry on document parsing failure when accepting application/graphql-response+json</li>
-<li><code>51FE</code> SHOULD use 4xx or 5xx status codes on document validation failure when accepting application/graphql-response+json</li>
+<li><code>51FE</code> MUST use 4xx or 5xx status codes on document validation failure when accepting application/graphql-response+json</li>
 <li><code>74FF</code> SHOULD use 400 status code on document validation failure when accepting application/graphql-response+json</li>
 <li><code>5E5B</code> SHOULD not contain the data entry on document validation failure when accepting application/graphql-response+json</li>
 <li><code>86EE</code> SHOULD use a status code of 400 on variable coercion failure when accepting application/graphql-response+json</li>
diff --git a/implementations/deno/README.md b/implementations/deno/README.md
index 4712b2be..2b841a92 100644
--- a/implementations/deno/README.md
+++ b/implementations/deno/README.md
@@ -5,8 +5,9 @@
 <ul>
 <li><b>60</b> audits in total</li>
 <li><span style="font-family: monospace">✅</span> <b>29</b> pass</li>
-<li><span style="font-family: monospace">💡</span> <b>18</b> notices (suggestions)</li>
-<li><span style="font-family: monospace">❗️</span> <b>13</b> warnings (optional)</li>
+<li><span style="font-family: monospace">💡</span> <b>14</b> notices (suggestions)</li>
+<li><span style="font-family: monospace">❗️</span> <b>5</b> warnings (optional)</li>
+<li><span style="font-family: monospace">❌</span> <b>12</b> errors (required)</li>
 </ul>
 
 <h2>Passing</h2>
@@ -38,8 +39,8 @@
 <li><code>572B</code> SHOULD use 200 status code on document parsing failure when accepting application/json</li>
 <li><code>FDE2</code> SHOULD use 200 status code on document validation failure when accepting application/json</li>
 <li><code>7B9B</code> SHOULD use a status code of 200 on variable coercion failure when accepting application/json</li>
-<li><code>865D</code> SHOULD use 4xx or 5xx status codes on document parsing failure when accepting application/graphql-response+json</li>
-<li><code>51FE</code> SHOULD use 4xx or 5xx status codes on document validation failure when accepting application/graphql-response+json</li>
+<li><code>865D</code> MUST use 4xx or 5xx status codes on document parsing failure when accepting application/graphql-response+json</li>
+<li><code>51FE</code> MUST use 4xx or 5xx status codes on document validation failure when accepting application/graphql-response+json</li>
 </ol>
 
 <h2>Notices</h2>
@@ -315,9 +316,9 @@ The server <i>MAY</i> support these, but are truly optional. These are suggestio
 </code></pre>
 </details>
 </li>
-<li><code>58B0</code> MAY use 400 status code on string {extensions} parameter
+<li><code>8764</code> MAY use 4xx or 5xx status codes if parameters are invalid
 <details>
-<summary>Response status code is not 400</summary>
+<summary>Response status is not between 400 and 599</summary>
 <pre><code class="lang-json">{
   "statusText": "OK",
   "status": 200,
@@ -325,19 +326,19 @@ The server <i>MAY</i> support these, but are truly optional. These are suggestio
     "vary": "Accept-Encoding",
     "date": "<timestamp>",
     "content-type": "application/json",
-    "content-length": "59",
+    "content-length": "45",
     "content-encoding": "gzip"
   },
   "body": {
-    "data": {
-      "__typename": "Query"
-    }
+    "errors": [
+      {}
+    ]
   }
 }
 </code></pre>
 </details>
 </li>
-<li><code>58B1</code> MAY use 400 status code on number {extensions} parameter
+<li><code>3E3A</code> MAY use 400 status code if parameters are invalid
 <details>
 <summary>Response status code is not 400</summary>
 <pre><code class="lang-json">{
@@ -347,114 +348,94 @@ The server <i>MAY</i> support these, but are truly optional. These are suggestio
     "vary": "Accept-Encoding",
     "date": "<timestamp>",
     "content-type": "application/json",
-    "content-length": "59",
+    "content-length": "45",
     "content-encoding": "gzip"
   },
   "body": {
-    "data": {
-      "__typename": "Query"
-    }
+    "errors": [
+      {}
+    ]
   }
 }
 </code></pre>
 </details>
 </li>
-<li><code>58B2</code> MAY use 400 status code on boolean {extensions} parameter
+</ol>
+
+<h2>Warnings</h2>
+The server <i>SHOULD</i> support these, but is not required.
+<ol>
+<li><code>556A</code> SHOULD use 400 status code on document parsing failure when accepting application/graphql-response+json
 <details>
 <summary>Response status code is not 400</summary>
 <pre><code class="lang-json">{
-  "statusText": "OK",
-  "status": 200,
+  "statusText": "Not Acceptable",
+  "status": 406,
   "headers": {
     "vary": "Accept-Encoding",
     "date": "<timestamp>",
-    "content-type": "application/json",
-    "content-length": "59",
-    "content-encoding": "gzip"
+    "content-type": "text/plain;charset=UTF-8",
+    "content-length": "14"
   },
-  "body": {
-    "data": {
-      "__typename": "Query"
-    }
-  }
+  "body": "Not Acceptable"
 }
 </code></pre>
 </details>
 </li>
-<li><code>58B3</code> MAY use 400 status code on array {extensions} parameter
+<li><code>D586</code> SHOULD not contain the data entry on document parsing failure when accepting application/graphql-response+json
 <details>
-<summary>Response status code is not 400</summary>
+<summary>Response body is not valid JSON</summary>
 <pre><code class="lang-json">{
-  "statusText": "OK",
-  "status": 200,
+  "statusText": "Not Acceptable",
+  "status": 406,
   "headers": {
     "vary": "Accept-Encoding",
     "date": "<timestamp>",
-    "content-type": "application/json",
-    "content-length": "59",
-    "content-encoding": "gzip"
+    "content-type": "text/plain;charset=UTF-8",
+    "content-length": "14"
   },
-  "body": {
-    "data": {
-      "__typename": "Query"
-    }
-  }
+  "body": null
 }
 </code></pre>
 </details>
 </li>
-<li><code>8764</code> MAY use 4xx or 5xx status codes if parameters are invalid
+<li><code>74FF</code> SHOULD use 400 status code on document validation failure when accepting application/graphql-response+json
 <details>
-<summary>Response status is not between 400 and 599</summary>
+<summary>Response status code is not 400</summary>
 <pre><code class="lang-json">{
-  "statusText": "OK",
-  "status": 200,
+  "statusText": "Not Acceptable",
+  "status": 406,
   "headers": {
     "vary": "Accept-Encoding",
     "date": "<timestamp>",
-    "content-type": "application/json",
-    "content-length": "45",
-    "content-encoding": "gzip"
+    "content-type": "text/plain;charset=UTF-8",
+    "content-length": "14"
   },
-  "body": {
-    "errors": [
-      {}
-    ]
-  }
+  "body": "Not Acceptable"
 }
 </code></pre>
 </details>
 </li>
-<li><code>3E3A</code> MAY use 400 status code if parameters are invalid
+<li><code>5E5B</code> SHOULD not contain the data entry on document validation failure when accepting application/graphql-response+json
 <details>
-<summary>Response status code is not 400</summary>
+<summary>Response body is not valid JSON</summary>
 <pre><code class="lang-json">{
-  "statusText": "OK",
-  "status": 200,
+  "statusText": "Not Acceptable",
+  "status": 406,
   "headers": {
     "vary": "Accept-Encoding",
     "date": "<timestamp>",
-    "content-type": "application/json",
-    "content-length": "45",
-    "content-encoding": "gzip"
+    "content-type": "text/plain;charset=UTF-8",
+    "content-length": "14"
   },
-  "body": {
-    "errors": [
-      {}
-    ]
-  }
+  "body": null
 }
 </code></pre>
 </details>
 </li>
-</ol>
-
-<h2>Warnings</h2>
-The server <i>SHOULD</i> support these, but is not required.
-<ol>
-<li><code>22EB</code> SHOULD accept application/graphql-response+json and match the content-type
+<li><code>86EE</code> SHOULD use a status code of 400 on variable coercion failure when accepting application/graphql-response+json
 <details>
-<summary>Response status code is not 200</summary>
+<summary>Response status code is not 400</summary>
 <pre><code class="lang-json">{
   "statusText": "Not Acceptable",
   "status": 406,
@@ -469,7 +450,12 @@ The server <i>SHOULD</i> support these, but is not required.
 </code></pre>
 </details>
 </li>
-<li><code>34A2</code> SHOULD allow string {query} parameter when accepting application/graphql-response+json
+</ol>
+
+<h2>Errors</h2>
+The server <b>MUST</b> support these.
+<ol>
+<li><code>22EB</code> MUST accept application/graphql-response+json and match the content-type
 <details>
 <summary>Response status code is not 200</summary>
 <pre><code class="lang-json">{
@@ -486,7 +472,7 @@ The server <i>SHOULD</i> support these, but is not required.
 </code></pre>
 </details>
 </li>
-<li><code>8161</code> SHOULD allow string {operationName} parameter when accepting application/graphql-response+json
+<li><code>34A2</code> MUST allow string {query} parameter when accepting application/graphql-response+json
 <details>
 <summary>Response status code is not 200</summary>
 <pre><code class="lang-json">{
@@ -503,7 +489,7 @@ The server <i>SHOULD</i> support these, but is not required.
 </code></pre>
 </details>
 </li>
-<li><code>94B0</code> SHOULD allow null {variables} parameter when accepting application/graphql-response+json
+<li><code>8161</code> MUST allow string {operationName} parameter when accepting application/graphql-response+json
 <details>
 <summary>Response status code is not 200</summary>
 <pre><code class="lang-json">{
@@ -520,7 +506,7 @@ The server <i>SHOULD</i> support these, but is not required.
 </code></pre>
 </details>
 </li>
-<li><code>94B1</code> SHOULD allow null {operationName} parameter when accepting application/graphql-response+json
+<li><code>94B0</code> MUST allow null {variables} parameter when accepting application/graphql-response+json
 <details>
 <summary>Response status code is not 200</summary>
 <pre><code class="lang-json">{
@@ -537,7 +523,7 @@ The server <i>SHOULD</i> support these, but is not required.
 </code></pre>
 </details>
 </li>
-<li><code>94B2</code> SHOULD allow null {extensions} parameter when accepting application/graphql-response+json
+<li><code>94B1</code> MUST allow null {operationName} parameter when accepting application/graphql-response+json
 <details>
 <summary>Response status code is not 200</summary>
 <pre><code class="lang-json">{
@@ -554,7 +540,7 @@ The server <i>SHOULD</i> support these, but is not required.
 </code></pre>
 </details>
 </li>
-<li><code>2EA1</code> SHOULD allow map {variables} parameter when accepting application/graphql-response+json
+<li><code>94B2</code> MUST allow null {extensions} parameter when accepting application/graphql-response+json
 <details>
 <summary>Response status code is not 200</summary>
 <pre><code class="lang-json">{
@@ -571,7 +557,7 @@ The server <i>SHOULD</i> support these, but is not required.
 </code></pre>
 </details>
 </li>
-<li><code>428F</code> SHOULD allow map {extensions} parameter when accepting application/graphql-response+json
+<li><code>2EA1</code> MUST allow map {variables} parameter when accepting application/graphql-response+json
 <details>
 <summary>Response status code is not 200</summary>
 <pre><code class="lang-json">{
@@ -588,77 +574,97 @@ The server <i>SHOULD</i> support these, but is not required.
 </code></pre>
 </details>
 </li>
-<li><code>556A</code> SHOULD use 400 status code on document parsing failure when accepting application/graphql-response+json
+<li><code>58B0</code> MUST use 400 status code on string {extensions} parameter
 <details>
 <summary>Response status code is not 400</summary>
 <pre><code class="lang-json">{
-  "statusText": "Not Acceptable",
-  "status": 406,
+  "statusText": "OK",
+  "status": 200,
   "headers": {
     "vary": "Accept-Encoding",
     "date": "<timestamp>",
-    "content-type": "text/plain;charset=UTF-8",
-    "content-length": "14"
+    "content-type": "application/json",
+    "content-length": "59",
+    "content-encoding": "gzip"
   },
-  "body": "Not Acceptable"
+  "body": {
+    "data": {
+      "__typename": "Query"
+    }
+  }
 }
 </code></pre>
 </details>
 </li>
-<li><code>D586</code> SHOULD not contain the data entry on document parsing failure when accepting application/graphql-response+json
+<li><code>58B1</code> MUST use 400 status code on number {extensions} parameter
 <details>
-<summary>Response body is not valid JSON</summary>
+<summary>Response status code is not 400</summary>
 <pre><code class="lang-json">{
-  "statusText": "Not Acceptable",
-  "status": 406,
+  "statusText": "OK",
+  "status": 200,
   "headers": {
     "vary": "Accept-Encoding",
     "date": "<timestamp>",
-    "content-type": "text/plain;charset=UTF-8",
-    "content-length": "14"
+    "content-type": "application/json",
+    "content-length": "59",
+    "content-encoding": "gzip"
   },
-  "body": null
+  "body": {
+    "data": {
+      "__typename": "Query"
+    }
+  }
 }
 </code></pre>
 </details>
 </li>
-<li><code>74FF</code> SHOULD use 400 status code on document validation failure when accepting application/graphql-response+json
+<li><code>58B2</code> MUST use 400 status code on boolean {extensions} parameter
 <details>
 <summary>Response status code is not 400</summary>
 <pre><code class="lang-json">{
-  "statusText": "Not Acceptable",
-  "status": 406,
+  "statusText": "OK",
+  "status": 200,
   "headers": {
     "vary": "Accept-Encoding",
     "date": "<timestamp>",
-    "content-type": "text/plain;charset=UTF-8",
-    "content-length": "14"
+    "content-type": "application/json",
+    "content-length": "59",
+    "content-encoding": "gzip"
   },
-  "body": "Not Acceptable"
+  "body": {
+    "data": {
+      "__typename": "Query"
+    }
+  }
 }
 </code></pre>
 </details>
 </li>
-<li><code>5E5B</code> SHOULD not contain the data entry on document validation failure when accepting application/graphql-response+json
+<li><code>58B3</code> MUST use 400 status code on array {extensions} parameter
 <details>
-<summary>Response body is not valid JSON</summary>
+<summary>Response status code is not 400</summary>
 <pre><code class="lang-json">{
-  "statusText": "Not Acceptable",
-  "status": 406,
+  "statusText": "OK",
+  "status": 200,
   "headers": {
     "vary": "Accept-Encoding",
     "date": "<timestamp>",
-    "content-type": "text/plain;charset=UTF-8",
-    "content-length": "14"
+    "content-type": "application/json",
+    "content-length": "59",
+    "content-encoding": "gzip"
   },
-  "body": null
+  "body": {
+    "data": {
+      "__typename": "Query"
+    }
+  }
 }
 </code></pre>
 </details>
 </li>
-<li><code>86EE</code> SHOULD use a status code of 400 on variable coercion failure when accepting application/graphql-response+json
+<li><code>428F</code> MUST allow map {extensions} parameter when accepting application/graphql-response+json
 <details>
-<summary>Response status code is not 400</summary>
+<summary>Response status code is not 200</summary>
 <pre><code class="lang-json">{
   "statusText": "Not Acceptable",
   "status": 406,
@@ -674,4 +680,3 @@ The server <i>SHOULD</i> support these, but is not required.
 </details>
 </li>
 </ol>
-
diff --git a/implementations/deno/report.json b/implementations/deno/report.json
index b5658aa1..2422feeb 100644
--- a/implementations/deno/report.json
+++ b/implementations/deno/report.json
@@ -1,7 +1,7 @@
 {
   "total": 60,
   "ok": 29,
-  "notice": 18,
-  "warn": 13,
-  "error": 0
+  "notice": 14,
+  "warn": 5,
+  "error": 12
 }
diff --git a/implementations/express-graphql/README.md b/implementations/express-graphql/README.md
index 50299fd3..2b646c62 100644
--- a/implementations/express-graphql/README.md
+++ b/implementations/express-graphql/README.md
@@ -5,8 +5,9 @@
 <ul>
 <li><b>60</b> audits in total</li>
 <li><span style="font-family: monospace">✅</span> <b>45</b> pass</li>
-<li><span style="font-family: monospace">💡</span> <b>11</b> notices (suggestions)</li>
-<li><span style="font-family: monospace">❗️</span> <b>4</b> warnings (optional)</li>
+<li><span style="font-family: monospace">💡</span> <b>7</b> notices (suggestions)</li>
+<li><span style="font-family: monospace">❗️</span> <b>3</b> warnings (optional)</li>
+<li><span style="font-family: monospace">❌</span> <b>5</b> errors (required)</li>
 </ul>
 
 <h2>Passing</h2>
@@ -28,31 +29,31 @@
 <li><code>LKJ1</code> MAY use 400 status code on number {query} parameter</li>
 <li><code>LKJ2</code> MAY use 400 status code on boolean {query} parameter</li>
 <li><code>LKJ3</code> MAY use 400 status code on array {query} parameter</li>
-<li><code>34A2</code> SHOULD allow string {query} parameter when accepting application/graphql-response+json</li>
+<li><code>34A2</code> MUST allow string {query} parameter when accepting application/graphql-response+json</li>
 <li><code>13EE</code> MUST allow string {query} parameter when accepting application/json</li>
-<li><code>8161</code> SHOULD allow string {operationName} parameter when accepting application/graphql-response+json</li>
+<li><code>8161</code> MUST allow string {operationName} parameter when accepting application/graphql-response+json</li>
 <li><code>B8B3</code> MUST allow string {operationName} parameter when accepting application/json</li>
-<li><code>94B0</code> SHOULD allow null {variables} parameter when accepting application/graphql-response+json</li>
+<li><code>94B0</code> MUST allow null {variables} parameter when accepting application/graphql-response+json</li>
 <li><code>0220</code> MUST allow null {variables} parameter when accepting application/json</li>
-<li><code>94B1</code> SHOULD allow null {operationName} parameter when accepting application/graphql-response+json</li>
+<li><code>94B1</code> MUST allow null {operationName} parameter when accepting application/graphql-response+json</li>
 <li><code>0221</code> MUST allow null {operationName} parameter when accepting application/json</li>
-<li><code>94B2</code> SHOULD allow null {extensions} parameter when accepting application/graphql-response+json</li>
+<li><code>94B2</code> MUST allow null {extensions} parameter when accepting application/graphql-response+json</li>
 <li><code>0222</code> MUST allow null {extensions} parameter when accepting application/json</li>
 <li><code>4760</code> MAY use 400 status code on string {variables} parameter</li>
-<li><code>2EA1</code> SHOULD allow map {variables} parameter when accepting application/graphql-response+json</li>
+<li><code>2EA1</code> MUST allow map {variables} parameter when accepting application/graphql-response+json</li>
 <li><code>28B9</code> MUST allow map {variables} parameter when accepting application/json</li>
 <li><code>D6D5</code> MAY allow URL-encoded JSON string {variables} parameter in GETs when accepting application/graphql-response+json</li>
 <li><code>6A70</code> MAY allow URL-encoded JSON string {variables} parameter in GETs when accepting application/json</li>
-<li><code>428F</code> SHOULD allow map {extensions} parameter when accepting application/graphql-response+json</li>
+<li><code>428F</code> MUST allow map {extensions} parameter when accepting application/graphql-response+json</li>
 <li><code>1B7A</code> MUST allow map {extensions} parameter when accepting application/json</li>
 <li><code>B6DC</code> MAY use 4xx or 5xx status codes on JSON parsing failure</li>
 <li><code>BCF8</code> MAY use 400 status code on JSON parsing failure</li>
 <li><code>8764</code> MAY use 4xx or 5xx status codes if parameters are invalid</li>
 <li><code>3E3A</code> MAY use 400 status code if parameters are invalid</li>
-<li><code>865D</code> SHOULD use 4xx or 5xx status codes on document parsing failure when accepting application/graphql-response+json</li>
+<li><code>865D</code> MUST use 4xx or 5xx status codes on document parsing failure when accepting application/graphql-response+json</li>
 <li><code>556A</code> SHOULD use 400 status code on document parsing failure when accepting application/graphql-response+json</li>
 <li><code>D586</code> SHOULD not contain the data entry on document parsing failure when accepting application/graphql-response+json</li>
-<li><code>51FE</code> SHOULD use 4xx or 5xx status codes on document validation failure when accepting application/graphql-response+json</li>
+<li><code>51FE</code> MUST use 4xx or 5xx status codes on document validation failure when accepting application/graphql-response+json</li>
 <li><code>74FF</code> SHOULD use 400 status code on document validation failure when accepting application/graphql-response+json</li>
 <li><code>5E5B</code> SHOULD not contain the data entry on document validation failure when accepting application/graphql-response+json</li>
 <li><code>86EE</code> SHOULD use a status code of 400 on variable coercion failure when accepting application/graphql-response+json</li>
@@ -229,81 +230,124 @@ The server <i>MAY</i> support these, but are truly optional. These are suggestio
 </code></pre>
 </details>
 </li>
-<li><code>58B0</code> MAY use 400 status code on string {extensions} parameter
+</ol>
+
+<h2>Warnings</h2>
+The server <i>SHOULD</i> support these, but is not required.
+<ol>
+<li><code>572B</code> SHOULD use 200 status code on document parsing failure when accepting application/json
 <details>
-<summary>Response status code is not 400</summary>
+<summary>Response status code is not 200</summary>
 <pre><code class="lang-json">{
-  "statusText": "OK",
-  "status": 200,
+  "statusText": "Bad Request",
+  "status": 400,
   "headers": {
     "x-powered-by": "Express",
     "keep-alive": "timeout=5",
-    "etag": "W/\"1f-yOwhVHjWKeagyuteVuktj+6mcMg\"",
+    "etag": "W/\"68-Xc/MwYKGMF54XYivaA3tsxvGHZM\"",
     "date": "<timestamp>",
     "content-type": "application/json; charset=utf-8",
-    "content-length": "31",
+    "content-length": "104",
     "connection": "keep-alive"
   },
   "body": {
-    "data": {
-      "__typename": "Query"
-    }
+    "errors": [
+      {
+        "message": "Syntax Error: Expected Name, found <EOF>.",
+        "locations": [
+          {
+            "line": 1,
+            "column": 2
+          }
+        ]
+      }
+    ]
   }
 }
 </code></pre>
 </details>
 </li>
-<li><code>58B1</code> MAY use 400 status code on number {extensions} parameter
+<li><code>FDE2</code> SHOULD use 200 status code on document validation failure when accepting application/json
 <details>
-<summary>Response status code is not 400</summary>
+<summary>Response status code is not 200</summary>
 <pre><code class="lang-json">{
-  "statusText": "OK",
-  "status": 200,
+  "statusText": "Bad Request",
+  "status": 400,
   "headers": {
     "x-powered-by": "Express",
     "keep-alive": "timeout=5",
-    "etag": "W/\"1f-yOwhVHjWKeagyuteVuktj+6mcMg\"",
+    "etag": "W/\"7b-vh2QJW5nlT/MclH/TbhHlNDXWZE\"",
     "date": "<timestamp>",
     "content-type": "application/json; charset=utf-8",
-    "content-length": "31",
+    "content-length": "123",
     "connection": "keep-alive"
   },
   "body": {
-    "data": {
-      "__typename": "Query"
-    }
+    "errors": [
+      {
+        "message": "Syntax Error: Invalid number, expected digit but got: \"f\".",
+        "locations": [
+          {
+            "line": 1,
+            "column": 4
+          }
+        ]
+      }
+    ]
   }
 }
 </code></pre>
 </details>
 </li>
-<li><code>58B2</code> MAY use 400 status code on boolean {extensions} parameter
+<li><code>7B9B</code> SHOULD use a status code of 200 on variable coercion failure when accepting application/json
 <details>
-<summary>Response status code is not 400</summary>
+<summary>Response status code is not 200</summary>
 <pre><code class="lang-json">{
-  "statusText": "OK",
-  "status": 200,
+  "statusText": "Bad Request",
+  "status": 400,
   "headers": {
     "x-powered-by": "Express",
     "keep-alive": "timeout=5",
-    "etag": "W/\"1f-yOwhVHjWKeagyuteVuktj+6mcMg\"",
+    "etag": "W/\"c6-jKvd+KIdPY2/2i/wYj0ck5PZF20\"",
     "date": "<timestamp>",
     "content-type": "application/json; charset=utf-8",
-    "content-length": "31",
+    "content-length": "198",
     "connection": "keep-alive"
   },
   "body": {
-    "data": {
-      "__typename": "Query"
-    }
+    "errors": [
+      {
+        "message": "Unknown type \"ID\".",
+        "locations": [
+          {
+            "line": 1,
+            "column": 26
+          }
+        ]
+      },
+      {
+        "message": "Variable \"$id\" is never used in operation \"CoerceFailure\".",
+        "locations": [
+          {
+            "line": 1,
+            "column": 21
+          }
+        ]
+      }
+    ]
   }
 }
 </code></pre>
 </details>
 </li>
-<li><code>58B3</code> MAY use 400 status code on array {extensions} parameter
+</ol>
+
+<h2>Errors</h2>
+The server <b>MUST</b> support these.
+<ol>
+<li><code>22EB</code> MUST accept application/graphql-response+json and match the content-type
 <details>
-<summary>Response status code is not 400</summary>
+<summary>Response header content-type does not contain application/graphql-response+json</summary>
 <pre><code class="lang-json">{
   "statusText": "OK",
   "status": 200,
@@ -325,14 +369,9 @@ The server <i>MAY</i> support these, but are truly optional. These are suggestio
 </code></pre>
 </details>
 </li>
-</ol>
-
-<h2>Warnings</h2>
-The server <i>SHOULD</i> support these, but is not required.
-<ol>
-<li><code>22EB</code> SHOULD accept application/graphql-response+json and match the content-type
+<li><code>58B0</code> MUST use 400 status code on string {extensions} parameter
 <details>
-<summary>Response header content-type does not contain application/graphql-response+json</summary>
+<summary>Response status code is not 400</summary>
 <pre><code class="lang-json">{
   "statusText": "OK",
   "status": 200,
@@ -354,110 +393,76 @@ The server <i>SHOULD</i> support these, but is not required.
 </code></pre>
 </details>
 </li>
-<li><code>572B</code> SHOULD use 200 status code on document parsing failure when accepting application/json
+<li><code>58B1</code> MUST use 400 status code on number {extensions} parameter
 <details>
-<summary>Response status code is not 200</summary>
+<summary>Response status code is not 400</summary>
 <pre><code class="lang-json">{
-  "statusText": "Bad Request",
-  "status": 400,
+  "statusText": "OK",
+  "status": 200,
   "headers": {
     "x-powered-by": "Express",
     "keep-alive": "timeout=5",
-    "etag": "W/\"68-Xc/MwYKGMF54XYivaA3tsxvGHZM\"",
+    "etag": "W/\"1f-yOwhVHjWKeagyuteVuktj+6mcMg\"",
     "date": "<timestamp>",
     "content-type": "application/json; charset=utf-8",
-    "content-length": "104",
+    "content-length": "31",
     "connection": "keep-alive"
   },
   "body": {
-    "errors": [
-      {
-        "message": "Syntax Error: Expected Name, found <EOF>.",
-        "locations": [
-          {
-            "line": 1,
-            "column": 2
-          }
-        ]
-      }
-    ]
+    "data": {
+      "__typename": "Query"
+    }
   }
 }
 </code></pre>
 </details>
 </li>
-<li><code>FDE2</code> SHOULD use 200 status code on document validation failure when accepting application/json
+<li><code>58B2</code> MUST use 400 status code on boolean {extensions} parameter
 <details>
-<summary>Response status code is not 200</summary>
+<summary>Response status code is not 400</summary>
 <pre><code class="lang-json">{
-  "statusText": "Bad Request",
-  "status": 400,
+  "statusText": "OK",
+  "status": 200,
   "headers": {
     "x-powered-by": "Express",
     "keep-alive": "timeout=5",
-    "etag": "W/\"7b-vh2QJW5nlT/MclH/TbhHlNDXWZE\"",
+    "etag": "W/\"1f-yOwhVHjWKeagyuteVuktj+6mcMg\"",
     "date": "<timestamp>",
     "content-type": "application/json; charset=utf-8",
-    "content-length": "123",
+    "content-length": "31",
     "connection": "keep-alive"
   },
   "body": {
-    "errors": [
-      {
-        "message": "Syntax Error: Invalid number, expected digit but got: \"f\".",
-        "locations": [
-          {
-            "line": 1,
-            "column": 4
-          }
-        ]
-      }
-    ]
+    "data": {
+      "__typename": "Query"
+    }
   }
 }
 </code></pre>
 </details>
 </li>
-<li><code>7B9B</code> SHOULD use a status code of 200 on variable coercion failure when accepting application/json
+<li><code>58B3</code> MUST use 400 status code on array {extensions} parameter
 <details>
-<summary>Response status code is not 200</summary>
+<summary>Response status code is not 400</summary>
 <pre><code class="lang-json">{
-  "statusText": "Bad Request",
-  "status": 400,
+  "statusText": "OK",
+  "status": 200,
   "headers": {
     "x-powered-by": "Express",
     "keep-alive": "timeout=5",
-    "etag": "W/\"c6-jKvd+KIdPY2/2i/wYj0ck5PZF20\"",
+    "etag": "W/\"1f-yOwhVHjWKeagyuteVuktj+6mcMg\"",
     "date": "<timestamp>",
     "content-type": "application/json; charset=utf-8",
-    "content-length": "198",
+    "content-length": "31",
     "connection": "keep-alive"
   },
   "body": {
-    "errors": [
-      {
-        "message": "Unknown type \"ID\".",
-        "locations": [
-          {
-            "line": 1,
-            "column": 26
-          }
-        ]
-      },
-      {
-        "message": "Variable \"$id\" is never used in operation \"CoerceFailure\".",
-        "locations": [
-          {
-            "line": 1,
-            "column": 21
-          }
-        ]
-      }
-    ]
+    "data": {
+      "__typename": "Query"
+    }
   }
 }
 </code></pre>
 </details>
 </li>
 </ol>
-
diff --git a/implementations/express-graphql/report.json b/implementations/express-graphql/report.json
index 4099d182..03056bbe 100644
--- a/implementations/express-graphql/report.json
+++ b/implementations/express-graphql/report.json
@@ -1,7 +1,7 @@
 {
   "total": 60,
   "ok": 45,
-  "notice": 11,
-  "warn": 4,
-  "error": 0
+  "notice": 7,
+  "warn": 3,
+  "error": 5
 }
diff --git a/implementations/graph-client/README.md b/implementations/graph-client/README.md
index 364f93c2..cac189ac 100644
--- a/implementations/graph-client/README.md
+++ b/implementations/graph-client/README.md
@@ -10,7 +10,7 @@
 
 <h2>Passing</h2>
 <ol>
-<li><code>22EB</code> SHOULD accept application/graphql-response+json and match the content-type</li>
+<li><code>22EB</code> MUST accept application/graphql-response+json and match the content-type</li>
 <li><code>4655</code> MUST accept application/json and match the content-type</li>
 <li><code>47DE</code> SHOULD accept */* and use application/json for the content-type</li>
 <li><code>80D8</code> SHOULD assume application/json content-type when accept is missing</li>
@@ -27,43 +27,43 @@
 <li><code>LKJ1</code> MAY use 400 status code on number {query} parameter</li>
 <li><code>LKJ2</code> MAY use 400 status code on boolean {query} parameter</li>
 <li><code>LKJ3</code> MAY use 400 status code on array {query} parameter</li>
-<li><code>34A2</code> SHOULD allow string {query} parameter when accepting application/graphql-response+json</li>
+<li><code>34A2</code> MUST allow string {query} parameter when accepting application/graphql-response+json</li>
 <li><code>13EE</code> MUST allow string {query} parameter when accepting application/json</li>
 <li><code>6C00</code> MAY use 400 status code on object {operationName} parameter</li>
 <li><code>6C01</code> MAY use 400 status code on number {operationName} parameter</li>
 <li><code>6C02</code> MAY use 400 status code on boolean {operationName} parameter</li>
 <li><code>6C03</code> MAY use 400 status code on array {operationName} parameter</li>
-<li><code>8161</code> SHOULD allow string {operationName} parameter when accepting application/graphql-response+json</li>
+<li><code>8161</code> MUST allow string {operationName} parameter when accepting application/graphql-response+json</li>
 <li><code>B8B3</code> MUST allow string {operationName} parameter when accepting application/json</li>
-<li><code>94B0</code> SHOULD allow null {variables} parameter when accepting application/graphql-response+json</li>
+<li><code>94B0</code> MUST allow null {variables} parameter when accepting application/graphql-response+json</li>
 <li><code>0220</code> MUST allow null {variables} parameter when accepting application/json</li>
-<li><code>94B1</code> SHOULD allow null {operationName} parameter when accepting application/graphql-response+json</li>
+<li><code>94B1</code> MUST allow null {operationName} parameter when accepting application/graphql-response+json</li>
 <li><code>0221</code> MUST allow null {operationName} parameter when accepting application/json</li>
-<li><code>94B2</code> SHOULD allow null {extensions} parameter when accepting application/graphql-response+json</li>
+<li><code>94B2</code> MUST allow null {extensions} parameter when accepting application/graphql-response+json</li>
 <li><code>0222</code> MUST allow null {extensions} parameter when accepting application/json</li>
 <li><code>4760</code> MAY use 400 status code on string {variables} parameter</li>
 <li><code>4761</code> MAY use 400 status code on number {variables} parameter</li>
 <li><code>4762</code> MAY use 400 status code on boolean {variables} parameter</li>
 <li><code>4763</code> MAY use 400 status code on array {variables} parameter</li>
-<li><code>2EA1</code> SHOULD allow map {variables} parameter when accepting application/graphql-response+json</li>
+<li><code>2EA1</code> MUST allow map {variables} parameter when accepting application/graphql-response+json</li>
 <li><code>28B9</code> MUST allow map {variables} parameter when accepting application/json</li>
 <li><code>D6D5</code> MAY allow URL-encoded JSON string {variables} parameter in GETs when accepting application/graphql-response+json</li>
 <li><code>6A70</code> MAY allow URL-encoded JSON string {variables} parameter in GETs when accepting application/json</li>
-<li><code>58B0</code> MAY use 400 status code on string {extensions} parameter</li>
-<li><code>58B1</code> MAY use 400 status code on number {extensions} parameter</li>
-<li><code>58B2</code> MAY use 400 status code on boolean {extensions} parameter</li>
-<li><code>58B3</code> MAY use 400 status code on array {extensions} parameter</li>
-<li><code>428F</code> SHOULD allow map {extensions} parameter when accepting application/graphql-response+json</li>
+<li><code>58B0</code> MUST use 400 status code on string {extensions} parameter</li>
+<li><code>58B1</code> MUST use 400 status code on number {extensions} parameter</li>
+<li><code>58B2</code> MUST use 400 status code on boolean {extensions} parameter</li>
+<li><code>58B3</code> MUST use 400 status code on array {extensions} parameter</li>
+<li><code>428F</code> MUST allow map {extensions} parameter when accepting application/graphql-response+json</li>
 <li><code>1B7A</code> MUST allow map {extensions} parameter when accepting application/json</li>
 <li><code>8764</code> MAY use 4xx or 5xx status codes if parameters are invalid</li>
 <li><code>3E3A</code> MAY use 400 status code if parameters are invalid</li>
 <li><code>572B</code> SHOULD use 200 status code on document parsing failure when accepting application/json</li>
 <li><code>FDE2</code> SHOULD use 200 status code on document validation failure when accepting application/json</li>
 <li><code>7B9B</code> SHOULD use a status code of 200 on variable coercion failure when accepting application/json</li>
-<li><code>865D</code> SHOULD use 4xx or 5xx status codes on document parsing failure when accepting application/graphql-response+json</li>
+<li><code>865D</code> MUST use 4xx or 5xx status codes on document parsing failure when accepting application/graphql-response+json</li>
 <li><code>556A</code> SHOULD use 400 status code on document parsing failure when accepting application/graphql-response+json</li>
 <li><code>D586</code> SHOULD not contain the data entry on document parsing failure when accepting application/graphql-response+json</li>
-<li><code>51FE</code> SHOULD use 4xx or 5xx status codes on document validation failure when accepting application/graphql-response+json</li>
+<li><code>51FE</code> MUST use 4xx or 5xx status codes on document validation failure when accepting application/graphql-response+json</li>
 <li><code>74FF</code> SHOULD use 400 status code on document validation failure when accepting application/graphql-response+json</li>
 <li><code>5E5B</code> SHOULD not contain the data entry on document validation failure when accepting application/graphql-response+json</li>
 <li><code>86EE</code> SHOULD use a status code of 400 on variable coercion failure when accepting application/graphql-response+json</li>
diff --git a/implementations/graphql-helix/README.md b/implementations/graphql-helix/README.md
index 72631835..46ce3ddc 100644
--- a/implementations/graphql-helix/README.md
+++ b/implementations/graphql-helix/README.md
@@ -5,8 +5,9 @@
 <ul>
 <li><b>60</b> audits in total</li>
 <li><span style="font-family: monospace">✅</span> <b>49</b> pass</li>
-<li><span style="font-family: monospace">💡</span> <b>7</b> notices (suggestions)</li>
-<li><span style="font-family: monospace">❗️</span> <b>4</b> warnings (optional)</li>
+<li><span style="font-family: monospace">💡</span> <b>3</b> notices (suggestions)</li>
+<li><span style="font-family: monospace">❗️</span> <b>3</b> warnings (optional)</li>
+<li><span style="font-family: monospace">❌</span> <b>5</b> errors (required)</li>
 </ul>
 
 <h2>Passing</h2>
@@ -28,35 +29,35 @@
 <li><code>LKJ1</code> MAY use 400 status code on number {query} parameter</li>
 <li><code>LKJ2</code> MAY use 400 status code on boolean {query} parameter</li>
 <li><code>LKJ3</code> MAY use 400 status code on array {query} parameter</li>
-<li><code>34A2</code> SHOULD allow string {query} parameter when accepting application/graphql-response+json</li>
+<li><code>34A2</code> MUST allow string {query} parameter when accepting application/graphql-response+json</li>
 <li><code>13EE</code> MUST allow string {query} parameter when accepting application/json</li>
 <li><code>6C00</code> MAY use 400 status code on object {operationName} parameter</li>
 <li><code>6C01</code> MAY use 400 status code on number {operationName} parameter</li>
 <li><code>6C02</code> MAY use 400 status code on boolean {operationName} parameter</li>
 <li><code>6C03</code> MAY use 400 status code on array {operationName} parameter</li>
-<li><code>8161</code> SHOULD allow string {operationName} parameter when accepting application/graphql-response+json</li>
+<li><code>8161</code> MUST allow string {operationName} parameter when accepting application/graphql-response+json</li>
 <li><code>B8B3</code> MUST allow string {operationName} parameter when accepting application/json</li>
-<li><code>94B0</code> SHOULD allow null {variables} parameter when accepting application/graphql-response+json</li>
+<li><code>94B0</code> MUST allow null {variables} parameter when accepting application/graphql-response+json</li>
 <li><code>0220</code> MUST allow null {variables} parameter when accepting application/json</li>
-<li><code>94B1</code> SHOULD allow null {operationName} parameter when accepting application/graphql-response+json</li>
+<li><code>94B1</code> MUST allow null {operationName} parameter when accepting application/graphql-response+json</li>
 <li><code>0221</code> MUST allow null {operationName} parameter when accepting application/json</li>
-<li><code>94B2</code> SHOULD allow null {extensions} parameter when accepting application/graphql-response+json</li>
+<li><code>94B2</code> MUST allow null {extensions} parameter when accepting application/graphql-response+json</li>
 <li><code>0222</code> MUST allow null {extensions} parameter when accepting application/json</li>
 <li><code>4760</code> MAY use 400 status code on string {variables} parameter</li>
-<li><code>2EA1</code> SHOULD allow map {variables} parameter when accepting application/graphql-response+json</li>
+<li><code>2EA1</code> MUST allow map {variables} parameter when accepting application/graphql-response+json</li>
 <li><code>28B9</code> MUST allow map {variables} parameter when accepting application/json</li>
 <li><code>D6D5</code> MAY allow URL-encoded JSON string {variables} parameter in GETs when accepting application/graphql-response+json</li>
 <li><code>6A70</code> MAY allow URL-encoded JSON string {variables} parameter in GETs when accepting application/json</li>
-<li><code>428F</code> SHOULD allow map {extensions} parameter when accepting application/graphql-response+json</li>
+<li><code>428F</code> MUST allow map {extensions} parameter when accepting application/graphql-response+json</li>
 <li><code>1B7A</code> MUST allow map {extensions} parameter when accepting application/json</li>
 <li><code>B6DC</code> MAY use 4xx or 5xx status codes on JSON parsing failure</li>
 <li><code>BCF8</code> MAY use 400 status code on JSON parsing failure</li>
 <li><code>8764</code> MAY use 4xx or 5xx status codes if parameters are invalid</li>
 <li><code>3E3A</code> MAY use 400 status code if parameters are invalid</li>
-<li><code>865D</code> SHOULD use 4xx or 5xx status codes on document parsing failure when accepting application/graphql-response+json</li>
+<li><code>865D</code> MUST use 4xx or 5xx status codes on document parsing failure when accepting application/graphql-response+json</li>
 <li><code>556A</code> SHOULD use 400 status code on document parsing failure when accepting application/graphql-response+json</li>
 <li><code>D586</code> SHOULD not contain the data entry on document parsing failure when accepting application/graphql-response+json</li>
-<li><code>51FE</code> SHOULD use 4xx or 5xx status codes on document validation failure when accepting application/graphql-response+json</li>
+<li><code>51FE</code> MUST use 4xx or 5xx status codes on document validation failure when accepting application/graphql-response+json</li>
 <li><code>74FF</code> SHOULD use 400 status code on document validation failure when accepting application/graphql-response+json</li>
 <li><code>5E5B</code> SHOULD not contain the data entry on document validation failure when accepting application/graphql-response+json</li>
 <li><code>86EE</code> SHOULD use a status code of 400 on variable coercion failure when accepting application/graphql-response+json</li>
@@ -134,78 +135,121 @@ The server <i>MAY</i> support these, but are truly optional. These are suggestio
 </code></pre>
 </details>
 </li>
-<li><code>58B0</code> MAY use 400 status code on string {extensions} parameter
+</ol>
+
+<h2>Warnings</h2>
+The server <i>SHOULD</i> support these, but is not required.
+<ol>
+<li><code>572B</code> SHOULD use 200 status code on document parsing failure when accepting application/json
 <details>
-<summary>Response status code is not 400</summary>
+<summary>Response status code is not 200</summary>
 <pre><code class="lang-json">{
-  "statusText": "OK",
-  "status": 200,
+  "statusText": "Bad Request",
+  "status": 400,
   "headers": {
     "x-powered-by": "Express",
     "keep-alive": "timeout=5",
     "date": "<timestamp>",
     "content-type": "application/json",
-    "content-length": "31",
+    "content-length": "104",
     "connection": "keep-alive"
   },
   "body": {
-    "data": {
-      "__typename": "Query"
-    }
+    "errors": [
+      {
+        "message": "Syntax Error: Expected Name, found <EOF>.",
+        "locations": [
+          {
+            "line": 1,
+            "column": 2
+          }
+        ]
+      }
+    ]
   }
 }
 </code></pre>
 </details>
 </li>
-<li><code>58B1</code> MAY use 400 status code on number {extensions} parameter
+<li><code>FDE2</code> SHOULD use 200 status code on document validation failure when accepting application/json
 <details>
-<summary>Response status code is not 400</summary>
+<summary>Response status code is not 200</summary>
 <pre><code class="lang-json">{
-  "statusText": "OK",
-  "status": 200,
+  "statusText": "Bad Request",
+  "status": 400,
   "headers": {
     "x-powered-by": "Express",
     "keep-alive": "timeout=5",
     "date": "<timestamp>",
     "content-type": "application/json",
-    "content-length": "31",
+    "content-length": "123",
     "connection": "keep-alive"
   },
   "body": {
-    "data": {
-      "__typename": "Query"
-    }
+    "errors": [
+      {
+        "message": "Syntax Error: Invalid number, expected digit but got: \"f\".",
+        "locations": [
+          {
+            "line": 1,
+            "column": 4
+          }
+        ]
+      }
+    ]
   }
 }
 </code></pre>
 </details>
 </li>
-<li><code>58B2</code> MAY use 400 status code on boolean {extensions} parameter
+<li><code>7B9B</code> SHOULD use a status code of 200 on variable coercion failure when accepting application/json
 <details>
-<summary>Response status code is not 400</summary>
+<summary>Response status code is not 200</summary>
 <pre><code class="lang-json">{
-  "statusText": "OK",
-  "status": 200,
+  "statusText": "Bad Request",
+  "status": 400,
   "headers": {
     "x-powered-by": "Express",
     "keep-alive": "timeout=5",
     "date": "<timestamp>",
     "content-type": "application/json",
-    "content-length": "31",
+    "content-length": "198",
     "connection": "keep-alive"
   },
   "body": {
-    "data": {
-      "__typename": "Query"
-    }
+    "errors": [
+      {
+        "message": "Unknown type \"ID\".",
+        "locations": [
+          {
+            "line": 1,
+            "column": 26
+          }
+        ]
+      },
+      {
+        "message": "Variable \"$id\" is never used in operation \"CoerceFailure\".",
+        "locations": [
+          {
+            "line": 1,
+            "column": 21
+          }
+        ]
+      }
+    ]
   }
 }
 </code></pre>
 </details>
 </li>
-<li><code>58B3</code> MAY use 400 status code on array {extensions} parameter
+</ol>
+
+<h2>Errors</h2>
+The server <b>MUST</b> support these.
+<ol>
+<li><code>22EB</code> MUST accept application/graphql-response+json and match the content-type
 <details>
-<summary>Response status code is not 400</summary>
+<summary>Response header content-type does not contain application/graphql-response+json</summary>
 <pre><code class="lang-json">{
   "statusText": "OK",
   "status": 200,
@@ -226,14 +270,9 @@ The server <i>MAY</i> support these, but are truly optional. These are suggestio
 </code></pre>
 </details>
 </li>
-</ol>
-
-<h2>Warnings</h2>
-The server <i>SHOULD</i> support these, but is not required.
-<ol>
-<li><code>22EB</code> SHOULD accept application/graphql-response+json and match the content-type
+<li><code>58B0</code> MUST use 400 status code on string {extensions} parameter
 <details>
-<summary>Response header content-type does not contain application/graphql-response+json</summary>
+<summary>Response status code is not 400</summary>
 <pre><code class="lang-json">{
   "statusText": "OK",
   "status": 200,
@@ -254,107 +293,73 @@ The server <i>SHOULD</i> support these, but is not required.
 </code></pre>
 </details>
 </li>
-<li><code>572B</code> SHOULD use 200 status code on document parsing failure when accepting application/json
+<li><code>58B1</code> MUST use 400 status code on number {extensions} parameter
 <details>
-<summary>Response status code is not 200</summary>
+<summary>Response status code is not 400</summary>
 <pre><code class="lang-json">{
-  "statusText": "Bad Request",
-  "status": 400,
+  "statusText": "OK",
+  "status": 200,
   "headers": {
     "x-powered-by": "Express",
     "keep-alive": "timeout=5",
     "date": "<timestamp>",
     "content-type": "application/json",
-    "content-length": "104",
+    "content-length": "31",
     "connection": "keep-alive"
   },
   "body": {
-    "errors": [
-      {
-        "message": "Syntax Error: Expected Name, found <EOF>.",
-        "locations": [
-          {
-            "line": 1,
-            "column": 2
-          }
-        ]
-      }
-    ]
+    "data": {
+      "__typename": "Query"
+    }
   }
 }
 </code></pre>
 </details>
 </li>
-<li><code>FDE2</code> SHOULD use 200 status code on document validation failure when accepting application/json
+<li><code>58B2</code> MUST use 400 status code on boolean {extensions} parameter
 <details>
-<summary>Response status code is not 200</summary>
+<summary>Response status code is not 400</summary>
 <pre><code class="lang-json">{
-  "statusText": "Bad Request",
-  "status": 400,
+  "statusText": "OK",
+  "status": 200,
   "headers": {
     "x-powered-by": "Express",
     "keep-alive": "timeout=5",
     "date": "<timestamp>",
     "content-type": "application/json",
-    "content-length": "123",
+    "content-length": "31",
     "connection": "keep-alive"
   },
   "body": {
-    "errors": [
-      {
-        "message": "Syntax Error: Invalid number, expected digit but got: \"f\".",
-        "locations": [
-          {
-            "line": 1,
-            "column": 4
-          }
-        ]
-      }
-    ]
+    "data": {
+      "__typename": "Query"
+    }
   }
 }
 </code></pre>
 </details>
 </li>
-<li><code>7B9B</code> SHOULD use a status code of 200 on variable coercion failure when accepting application/json
+<li><code>58B3</code> MUST use 400 status code on array {extensions} parameter
 <details>
-<summary>Response status code is not 200</summary>
+<summary>Response status code is not 400</summary>
 <pre><code class="lang-json">{
-  "statusText": "Bad Request",
-  "status": 400,
+  "statusText": "OK",
+  "status": 200,
   "headers": {
     "x-powered-by": "Express",
     "keep-alive": "timeout=5",
     "date": "<timestamp>",
     "content-type": "application/json",
-    "content-length": "198",
+    "content-length": "31",
     "connection": "keep-alive"
   },
   "body": {
-    "errors": [
-      {
-        "message": "Unknown type \"ID\".",
-        "locations": [
-          {
-            "line": 1,
-            "column": 26
-          }
-        ]
-      },
-      {
-        "message": "Variable \"$id\" is never used in operation \"CoerceFailure\".",
-        "locations": [
-          {
-            "line": 1,
-            "column": 21
-          }
-        ]
-      }
-    ]
+    "data": {
+      "__typename": "Query"
+    }
   }
 }
 </code></pre>
 </details>
 </li>
 </ol>
-
diff --git a/implementations/graphql-helix/report.json b/implementations/graphql-helix/report.json
index a7e67865..3d69c639 100644
--- a/implementations/graphql-helix/report.json
+++ b/implementations/graphql-helix/report.json
@@ -1,7 +1,7 @@
 {
   "total": 60,
   "ok": 49,
-  "notice": 7,
-  "warn": 4,
-  "error": 0
+  "notice": 3,
+  "warn": 3,
+  "error": 5
 }
diff --git a/implementations/graphql-yoga/README.md b/implementations/graphql-yoga/README.md
index 9c15aea4..7555d3f0 100644
--- a/implementations/graphql-yoga/README.md
+++ b/implementations/graphql-yoga/README.md
@@ -9,7 +9,7 @@
 
 <h2>Passing</h2>
 <ol>
-<li><code>22EB</code> SHOULD accept application/graphql-response+json and match the content-type</li>
+<li><code>22EB</code> MUST accept application/graphql-response+json and match the content-type</li>
 <li><code>4655</code> MUST accept application/json and match the content-type</li>
 <li><code>47DE</code> SHOULD accept */* and use application/json for the content-type</li>
 <li><code>80D8</code> SHOULD assume application/json content-type when accept is missing</li>
@@ -27,33 +27,33 @@
 <li><code>LKJ1</code> MAY use 400 status code on number {query} parameter</li>
 <li><code>LKJ2</code> MAY use 400 status code on boolean {query} parameter</li>
 <li><code>LKJ3</code> MAY use 400 status code on array {query} parameter</li>
-<li><code>34A2</code> SHOULD allow string {query} parameter when accepting application/graphql-response+json</li>
+<li><code>34A2</code> MUST allow string {query} parameter when accepting application/graphql-response+json</li>
 <li><code>13EE</code> MUST allow string {query} parameter when accepting application/json</li>
 <li><code>6C00</code> MAY use 400 status code on object {operationName} parameter</li>
 <li><code>6C01</code> MAY use 400 status code on number {operationName} parameter</li>
 <li><code>6C02</code> MAY use 400 status code on boolean {operationName} parameter</li>
 <li><code>6C03</code> MAY use 400 status code on array {operationName} parameter</li>
-<li><code>8161</code> SHOULD allow string {operationName} parameter when accepting application/graphql-response+json</li>
+<li><code>8161</code> MUST allow string {operationName} parameter when accepting application/graphql-response+json</li>
 <li><code>B8B3</code> MUST allow string {operationName} parameter when accepting application/json</li>
-<li><code>94B0</code> SHOULD allow null {variables} parameter when accepting application/graphql-response+json</li>
+<li><code>94B0</code> MUST allow null {variables} parameter when accepting application/graphql-response+json</li>
 <li><code>0220</code> MUST allow null {variables} parameter when accepting application/json</li>
-<li><code>94B1</code> SHOULD allow null {operationName} parameter when accepting application/graphql-response+json</li>
+<li><code>94B1</code> MUST allow null {operationName} parameter when accepting application/graphql-response+json</li>
 <li><code>0221</code> MUST allow null {operationName} parameter when accepting application/json</li>
-<li><code>94B2</code> SHOULD allow null {extensions} parameter when accepting application/graphql-response+json</li>
+<li><code>94B2</code> MUST allow null {extensions} parameter when accepting application/graphql-response+json</li>
 <li><code>0222</code> MUST allow null {extensions} parameter when accepting application/json</li>
 <li><code>4760</code> MAY use 400 status code on string {variables} parameter</li>
 <li><code>4761</code> MAY use 400 status code on number {variables} parameter</li>
 <li><code>4762</code> MAY use 400 status code on boolean {variables} parameter</li>
 <li><code>4763</code> MAY use 400 status code on array {variables} parameter</li>
-<li><code>2EA1</code> SHOULD allow map {variables} parameter when accepting application/graphql-response+json</li>
+<li><code>2EA1</code> MUST allow map {variables} parameter when accepting application/graphql-response+json</li>
 <li><code>28B9</code> MUST allow map {variables} parameter when accepting application/json</li>
 <li><code>D6D5</code> MAY allow URL-encoded JSON string {variables} parameter in GETs when accepting application/graphql-response+json</li>
 <li><code>6A70</code> MAY allow URL-encoded JSON string {variables} parameter in GETs when accepting application/json</li>
-<li><code>58B0</code> MAY use 400 status code on string {extensions} parameter</li>
-<li><code>58B1</code> MAY use 400 status code on number {extensions} parameter</li>
-<li><code>58B2</code> MAY use 400 status code on boolean {extensions} parameter</li>
-<li><code>58B3</code> MAY use 400 status code on array {extensions} parameter</li>
-<li><code>428F</code> SHOULD allow map {extensions} parameter when accepting application/graphql-response+json</li>
+<li><code>58B0</code> MUST use 400 status code on string {extensions} parameter</li>
+<li><code>58B1</code> MUST use 400 status code on number {extensions} parameter</li>
+<li><code>58B2</code> MUST use 400 status code on boolean {extensions} parameter</li>
+<li><code>58B3</code> MUST use 400 status code on array {extensions} parameter</li>
+<li><code>428F</code> MUST allow map {extensions} parameter when accepting application/graphql-response+json</li>
 <li><code>1B7A</code> MUST allow map {extensions} parameter when accepting application/json</li>
 <li><code>B6DC</code> MAY use 4xx or 5xx status codes on JSON parsing failure</li>
 <li><code>BCF8</code> MAY use 400 status code on JSON parsing failure</li>
@@ -62,10 +62,10 @@
 <li><code>572B</code> SHOULD use 200 status code on document parsing failure when accepting application/json</li>
 <li><code>FDE2</code> SHOULD use 200 status code on document validation failure when accepting application/json</li>
 <li><code>7B9B</code> SHOULD use a status code of 200 on variable coercion failure when accepting application/json</li>
-<li><code>865D</code> SHOULD use 4xx or 5xx status codes on document parsing failure when accepting application/graphql-response+json</li>
+<li><code>865D</code> MUST use 4xx or 5xx status codes on document parsing failure when accepting application/graphql-response+json</li>
 <li><code>556A</code> SHOULD use 400 status code on document parsing failure when accepting application/graphql-response+json</li>
 <li><code>D586</code> SHOULD not contain the data entry on document parsing failure when accepting application/graphql-response+json</li>
-<li><code>51FE</code> SHOULD use 4xx or 5xx status codes on document validation failure when accepting application/graphql-response+json</li>
+<li><code>51FE</code> MUST use 4xx or 5xx status codes on document validation failure when accepting application/graphql-response+json</li>
 <li><code>74FF</code> SHOULD use 400 status code on document validation failure when accepting application/graphql-response+json</li>
 <li><code>5E5B</code> SHOULD not contain the data entry on document validation failure when accepting application/graphql-response+json</li>
 <li><code>86EE</code> SHOULD use a status code of 400 on variable coercion failure when accepting application/graphql-response+json</li>
diff --git a/implementations/hotchocolate/README.md b/implementations/hotchocolate/README.md
index cb066ff6..902cd383 100644
--- a/implementations/hotchocolate/README.md
+++ b/implementations/hotchocolate/README.md
@@ -10,7 +10,7 @@
 
 <h2>Passing</h2>
 <ol>
-<li><code>22EB</code> SHOULD accept application/graphql-response+json and match the content-type</li>
+<li><code>22EB</code> MUST accept application/graphql-response+json and match the content-type</li>
 <li><code>4655</code> MUST accept application/json and match the content-type</li>
 <li><code>82A3</code> MUST use utf-8 encoding when responding</li>
 <li><code>BF61</code> MUST accept utf-8 encoded request</li>
@@ -26,33 +26,33 @@
 <li><code>LKJ1</code> MAY use 400 status code on number {query} parameter</li>
 <li><code>LKJ2</code> MAY use 400 status code on boolean {query} parameter</li>
 <li><code>LKJ3</code> MAY use 400 status code on array {query} parameter</li>
-<li><code>34A2</code> SHOULD allow string {query} parameter when accepting application/graphql-response+json</li>
+<li><code>34A2</code> MUST allow string {query} parameter when accepting application/graphql-response+json</li>
 <li><code>13EE</code> MUST allow string {query} parameter when accepting application/json</li>
 <li><code>6C00</code> MAY use 400 status code on object {operationName} parameter</li>
 <li><code>6C01</code> MAY use 400 status code on number {operationName} parameter</li>
 <li><code>6C02</code> MAY use 400 status code on boolean {operationName} parameter</li>
 <li><code>6C03</code> MAY use 400 status code on array {operationName} parameter</li>
-<li><code>8161</code> SHOULD allow string {operationName} parameter when accepting application/graphql-response+json</li>
+<li><code>8161</code> MUST allow string {operationName} parameter when accepting application/graphql-response+json</li>
 <li><code>B8B3</code> MUST allow string {operationName} parameter when accepting application/json</li>
-<li><code>94B0</code> SHOULD allow null {variables} parameter when accepting application/graphql-response+json</li>
+<li><code>94B0</code> MUST allow null {variables} parameter when accepting application/graphql-response+json</li>
 <li><code>0220</code> MUST allow null {variables} parameter when accepting application/json</li>
-<li><code>94B1</code> SHOULD allow null {operationName} parameter when accepting application/graphql-response+json</li>
+<li><code>94B1</code> MUST allow null {operationName} parameter when accepting application/graphql-response+json</li>
 <li><code>0221</code> MUST allow null {operationName} parameter when accepting application/json</li>
-<li><code>94B2</code> SHOULD allow null {extensions} parameter when accepting application/graphql-response+json</li>
+<li><code>94B2</code> MUST allow null {extensions} parameter when accepting application/graphql-response+json</li>
 <li><code>0222</code> MUST allow null {extensions} parameter when accepting application/json</li>
 <li><code>4760</code> MAY use 400 status code on string {variables} parameter</li>
 <li><code>4761</code> MAY use 400 status code on number {variables} parameter</li>
 <li><code>4762</code> MAY use 400 status code on boolean {variables} parameter</li>
 <li><code>4763</code> MAY use 400 status code on array {variables} parameter</li>
-<li><code>2EA1</code> SHOULD allow map {variables} parameter when accepting application/graphql-response+json</li>
+<li><code>2EA1</code> MUST allow map {variables} parameter when accepting application/graphql-response+json</li>
 <li><code>28B9</code> MUST allow map {variables} parameter when accepting application/json</li>
 <li><code>D6D5</code> MAY allow URL-encoded JSON string {variables} parameter in GETs when accepting application/graphql-response+json</li>
 <li><code>6A70</code> MAY allow URL-encoded JSON string {variables} parameter in GETs when accepting application/json</li>
-<li><code>58B0</code> MAY use 400 status code on string {extensions} parameter</li>
-<li><code>58B1</code> MAY use 400 status code on number {extensions} parameter</li>
-<li><code>58B2</code> MAY use 400 status code on boolean {extensions} parameter</li>
-<li><code>58B3</code> MAY use 400 status code on array {extensions} parameter</li>
-<li><code>428F</code> SHOULD allow map {extensions} parameter when accepting application/graphql-response+json</li>
+<li><code>58B0</code> MUST use 400 status code on string {extensions} parameter</li>
+<li><code>58B1</code> MUST use 400 status code on number {extensions} parameter</li>
+<li><code>58B2</code> MUST use 400 status code on boolean {extensions} parameter</li>
+<li><code>58B3</code> MUST use 400 status code on array {extensions} parameter</li>
+<li><code>428F</code> MUST allow map {extensions} parameter when accepting application/graphql-response+json</li>
 <li><code>1B7A</code> MUST allow map {extensions} parameter when accepting application/json</li>
 <li><code>B6DC</code> MAY use 4xx or 5xx status codes on JSON parsing failure</li>
 <li><code>BCF8</code> MAY use 400 status code on JSON parsing failure</li>
@@ -61,10 +61,10 @@
 <li><code>572B</code> SHOULD use 200 status code on document parsing failure when accepting application/json</li>
 <li><code>FDE2</code> SHOULD use 200 status code on document validation failure when accepting application/json</li>
 <li><code>7B9B</code> SHOULD use a status code of 200 on variable coercion failure when accepting application/json</li>
-<li><code>865D</code> SHOULD use 4xx or 5xx status codes on document parsing failure when accepting application/graphql-response+json</li>
+<li><code>865D</code> MUST use 4xx or 5xx status codes on document parsing failure when accepting application/graphql-response+json</li>
 <li><code>556A</code> SHOULD use 400 status code on document parsing failure when accepting application/graphql-response+json</li>
 <li><code>D586</code> SHOULD not contain the data entry on document parsing failure when accepting application/graphql-response+json</li>
-<li><code>51FE</code> SHOULD use 4xx or 5xx status codes on document validation failure when accepting application/graphql-response+json</li>
+<li><code>51FE</code> MUST use 4xx or 5xx status codes on document validation failure when accepting application/graphql-response+json</li>
 <li><code>74FF</code> SHOULD use 400 status code on document validation failure when accepting application/graphql-response+json</li>
 <li><code>5E5B</code> SHOULD not contain the data entry on document validation failure when accepting application/graphql-response+json</li>
 <li><code>86EE</code> SHOULD use a status code of 400 on variable coercion failure when accepting application/graphql-response+json</li>
@@ -83,7 +83,7 @@ The server <i>SHOULD</i> support these, but is not required.
     "transfer-encoding": "chunked",
     "server": "Kestrel",
     "date": "<timestamp>",
-    "content-type": "application/graphql-response+json;charset=utf-8"
+    "content-type": "application/graphql-response+json; charset=utf-8"
   },
   "body": {
     "data": {
@@ -104,7 +104,7 @@ The server <i>SHOULD</i> support these, but is not required.
     "transfer-encoding": "chunked",
     "server": "Kestrel",
     "date": "<timestamp>",
-    "content-type": "application/graphql-response+json;charset=utf-8"
+    "content-type": "application/graphql-response+json; charset=utf-8"
   },
   "body": {
     "data": {
diff --git a/implementations/lighthouse/README.md b/implementations/lighthouse/README.md
index 49f21d60..fb3ce764 100644
--- a/implementations/lighthouse/README.md
+++ b/implementations/lighthouse/README.md
@@ -5,8 +5,9 @@
 <ul>
 <li><b>60</b> audits in total</li>
 <li><span style="font-family: monospace">✅</span> <b>33</b> pass</li>
-<li><span style="font-family: monospace">💡</span> <b>21</b> notices (suggestions)</li>
-<li><span style="font-family: monospace">❗️</span> <b>6</b> warnings (optional)</li>
+<li><span style="font-family: monospace">💡</span> <b>17</b> notices (suggestions)</li>
+<li><span style="font-family: monospace">❗️</span> <b>3</b> warnings (optional)</li>
+<li><span style="font-family: monospace">❌</span> <b>7</b> errors (required)</li>
 </ul>
 
 <h2>Passing</h2>
@@ -21,21 +22,21 @@
 <li><code>5A70</code> MAY accept application/x-www-form-urlencoded formatted GET requests</li>
 <li><code>03D4</code> MUST accept application/json POST requests</li>
 <li><code>A5BF</code> MAY use 400 status code when request body is missing on POST</li>
-<li><code>34A2</code> SHOULD allow string {query} parameter when accepting application/graphql-response+json</li>
+<li><code>34A2</code> MUST allow string {query} parameter when accepting application/graphql-response+json</li>
 <li><code>13EE</code> MUST allow string {query} parameter when accepting application/json</li>
-<li><code>8161</code> SHOULD allow string {operationName} parameter when accepting application/graphql-response+json</li>
+<li><code>8161</code> MUST allow string {operationName} parameter when accepting application/graphql-response+json</li>
 <li><code>B8B3</code> MUST allow string {operationName} parameter when accepting application/json</li>
-<li><code>94B0</code> SHOULD allow null {variables} parameter when accepting application/graphql-response+json</li>
+<li><code>94B0</code> MUST allow null {variables} parameter when accepting application/graphql-response+json</li>
 <li><code>0220</code> MUST allow null {variables} parameter when accepting application/json</li>
-<li><code>94B1</code> SHOULD allow null {operationName} parameter when accepting application/graphql-response+json</li>
+<li><code>94B1</code> MUST allow null {operationName} parameter when accepting application/graphql-response+json</li>
 <li><code>0221</code> MUST allow null {operationName} parameter when accepting application/json</li>
-<li><code>94B2</code> SHOULD allow null {extensions} parameter when accepting application/graphql-response+json</li>
+<li><code>94B2</code> MUST allow null {extensions} parameter when accepting application/graphql-response+json</li>
 <li><code>0222</code> MUST allow null {extensions} parameter when accepting application/json</li>
-<li><code>2EA1</code> SHOULD allow map {variables} parameter when accepting application/graphql-response+json</li>
+<li><code>2EA1</code> MUST allow map {variables} parameter when accepting application/graphql-response+json</li>
 <li><code>28B9</code> MUST allow map {variables} parameter when accepting application/json</li>
 <li><code>D6D5</code> MAY allow URL-encoded JSON string {variables} parameter in GETs when accepting application/graphql-response+json</li>
 <li><code>6A70</code> MAY allow URL-encoded JSON string {variables} parameter in GETs when accepting application/json</li>
-<li><code>428F</code> SHOULD allow map {extensions} parameter when accepting application/graphql-response+json</li>
+<li><code>428F</code> MUST allow map {extensions} parameter when accepting application/graphql-response+json</li>
 <li><code>1B7A</code> MUST allow map {extensions} parameter when accepting application/json</li>
 <li><code>B6DC</code> MAY use 4xx or 5xx status codes on JSON parsing failure</li>
 <li><code>BCF8</code> MAY use 400 status code on JSON parsing failure</li>
@@ -3591,98 +3592,6 @@ The server <i>MAY</i> support these, but are truly optional. These are suggestio
 </code></pre>
 </details>
 </li>
-<li><code>58B0</code> MAY use 400 status code on string {extensions} parameter
-<details>
-<summary>Response status code is not 400</summary>
-<pre><code class="lang-json">{
-  "statusText": "OK",
-  "status": 200,
-  "headers": {
-    "x-powered-by": "PHP/8.2.19",
-    "host": "localhost:4000",
-    "date": "<timestamp>",
-    "content-type": "application/json",
-    "connection": "close",
-    "cache-control": "no-cache, private"
-  },
-  "body": {
-    "data": {
-      "__typename": "Query"
-    }
-  }
-}
-</code></pre>
-</details>
-</li>
-<li><code>58B1</code> MAY use 400 status code on number {extensions} parameter
-<details>
-<summary>Response status code is not 400</summary>
-<pre><code class="lang-json">{
-  "statusText": "OK",
-  "status": 200,
-  "headers": {
-    "x-powered-by": "PHP/8.2.19",
-    "host": "localhost:4000",
-    "date": "<timestamp>",
-    "content-type": "application/json",
-    "connection": "close",
-    "cache-control": "no-cache, private"
-  },
-  "body": {
-    "data": {
-      "__typename": "Query"
-    }
-  }
-}
-</code></pre>
-</details>
-</li>
-<li><code>58B2</code> MAY use 400 status code on boolean {extensions} parameter
-<details>
-<summary>Response status code is not 400</summary>
-<pre><code class="lang-json">{
-  "statusText": "OK",
-  "status": 200,
-  "headers": {
-    "x-powered-by": "PHP/8.2.19",
-    "host": "localhost:4000",
-    "date": "<timestamp>",
-    "content-type": "application/json",
-    "connection": "close",
-    "cache-control": "no-cache, private"
-  },
-  "body": {
-    "data": {
-      "__typename": "Query"
-    }
-  }
-}
-</code></pre>
-</details>
-</li>
-<li><code>58B3</code> MAY use 400 status code on array {extensions} parameter
-<details>
-<summary>Response status code is not 400</summary>
-<pre><code class="lang-json">{
-  "statusText": "OK",
-  "status": 200,
-  "headers": {
-    "x-powered-by": "PHP/8.2.19",
-    "host": "localhost:4000",
-    "date": "<timestamp>",
-    "content-type": "application/json",
-    "connection": "close",
-    "cache-control": "no-cache, private"
-  },
-  "body": {
-    "data": {
-      "__typename": "Query"
-    }
-  }
-}
-</code></pre>
-</details>
-</li>
 <li><code>8764</code> MAY use 4xx or 5xx status codes if parameters are invalid
 <details>
 <summary>Response status is not between 400 and 599</summary>
@@ -4180,9 +4089,9 @@ The server <i>MAY</i> support these, but are truly optional. These are suggestio
 <h2>Warnings</h2>
 The server <i>SHOULD</i> support these, but is not required.
 <ol>
-<li><code>22EB</code> SHOULD accept application/graphql-response+json and match the content-type
+<li><code>556A</code> SHOULD use 400 status code on document parsing failure when accepting application/graphql-response+json
 <details>
-<summary>Response header content-type does not contain application/graphql-response+json</summary>
+<summary>Response status code is not 400</summary>
 <pre><code class="lang-json">{
   "statusText": "OK",
   "status": 200,
@@ -4195,17 +4104,29 @@ The server <i>SHOULD</i> support these, but is not required.
     "cache-control": "no-cache, private"
   },
   "body": {
-    "data": {
-      "__typename": "Query"
-    }
+    "errors": [
+      {
+        "message": "Syntax Error: Expected Name, found <EOF>",
+        "locations": [
+          {
+            "line": 1,
+            "column": 2
+          }
+        ],
+        "extensions": {
+          "line": 382,
+          "file": "/app/vendor/webonyx/graphql-php/src/Language/Parser.php"
+        }
+      }
+    ]
   }
 }
 </code></pre>
 </details>
 </li>
-<li><code>865D</code> SHOULD use 4xx or 5xx status codes on document parsing failure when accepting application/graphql-response+json
+<li><code>74FF</code> SHOULD use 400 status code on document validation failure when accepting application/graphql-response+json
 <details>
-<summary>Response status is not between 400 and 599</summary>
+<summary>Response status code is not 400</summary>
 <pre><code class="lang-json">{
   "statusText": "OK",
   "status": 200,
@@ -4220,11 +4141,11 @@ The server <i>SHOULD</i> support these, but is not required.
   "body": {
     "errors": [
       {
-        "message": "Syntax Error: Expected Name, found <EOF>",
+        "message": "Syntax Error: Expected Name, found Int \"8\"",
         "locations": [
           {
             "line": 1,
-            "column": 2
+            "column": 3
           }
         ],
         "extensions": {
@@ -4238,7 +4159,7 @@ The server <i>SHOULD</i> support these, but is not required.
 </code></pre>
 </details>
 </li>
-<li><code>556A</code> SHOULD use 400 status code on document parsing failure when accepting application/graphql-response+json
+<li><code>86EE</code> SHOULD use a status code of 400 on variable coercion failure when accepting application/graphql-response+json
 <details>
 <summary>Response status code is not 400</summary>
 <pre><code class="lang-json">{
@@ -4255,16 +4176,16 @@ The server <i>SHOULD</i> support these, but is not required.
   "body": {
     "errors": [
       {
-        "message": "Syntax Error: Expected Name, found <EOF>",
+        "message": "Variable \"$id\" is never used in operation \"CoerceFailure\".",
         "locations": [
           {
             "line": 1,
-            "column": 2
+            "column": 21
           }
         ],
         "extensions": {
-          "line": 382,
-          "file": "/app/vendor/webonyx/graphql-php/src/Language/Parser.php"
+          "line": 41,
+          "file": "/app/vendor/webonyx/graphql-php/src/Validator/Rules/NoUnusedVariables.php"
         }
       }
     ]
@@ -4273,9 +4194,37 @@ The server <i>SHOULD</i> support these, but is not required.
 </code></pre>
 </details>
 </li>
-<li><code>51FE</code> SHOULD use 4xx or 5xx status codes on document validation failure when accepting application/graphql-response+json
+</ol>
+
+<h2>Errors</h2>
+The server <b>MUST</b> support these.
+<ol>
+<li><code>22EB</code> MUST accept application/graphql-response+json and match the content-type
+<details>
+<summary>Response header content-type does not contain application/graphql-response+json</summary>
+<pre><code class="lang-json">{
+  "statusText": "OK",
+  "status": 200,
+  "headers": {
+    "x-powered-by": "PHP/8.2.19",
+    "host": "localhost:4000",
+    "date": "<timestamp>",
+    "content-type": "application/json",
+    "connection": "close",
+    "cache-control": "no-cache, private"
+  },
+  "body": {
+    "data": {
+      "__typename": "Query"
+    }
+  }
+}
+</code></pre>
+</details>
+</li>
+<li><code>58B0</code> MUST use 400 status code on string {extensions} parameter
 <details>
-<summary>Response status is not between 400 and 599</summary>
+<summary>Response status code is not 400</summary>
 <pre><code class="lang-json">{
   "statusText": "OK",
   "status": 200,
@@ -4288,29 +4237,86 @@ The server <i>SHOULD</i> support these, but is not required.
     "cache-control": "no-cache, private"
   },
   "body": {
-    "errors": [
-      {
-        "message": "Syntax Error: Expected Name, found Int \"8\"",
-        "locations": [
-          {
-            "line": 1,
-            "column": 3
-          }
-        ],
-        "extensions": {
-          "line": 382,
-          "file": "/app/vendor/webonyx/graphql-php/src/Language/Parser.php"
-        }
-      }
-    ]
+    "data": {
+      "__typename": "Query"
+    }
   }
 }
 </code></pre>
 </details>
 </li>
-<li><code>74FF</code> SHOULD use 400 status code on document validation failure when accepting application/graphql-response+json
+<li><code>58B1</code> MUST use 400 status code on number {extensions} parameter
 <details>
 <summary>Response status code is not 400</summary>
+<pre><code class="lang-json">{
+  "statusText": "OK",
+  "status": 200,
+  "headers": {
+    "x-powered-by": "PHP/8.2.19",
+    "host": "localhost:4000",
+    "date": "<timestamp>",
+    "content-type": "application/json",
+    "connection": "close",
+    "cache-control": "no-cache, private"
+  },
+  "body": {
+    "data": {
+      "__typename": "Query"
+    }
+  }
+}
+</code></pre>
+</details>
+</li>
+<li><code>58B2</code> MUST use 400 status code on boolean {extensions} parameter
+<details>
+<summary>Response status code is not 400</summary>
+<pre><code class="lang-json">{
+  "statusText": "OK",
+  "status": 200,
+  "headers": {
+    "x-powered-by": "PHP/8.2.19",
+    "host": "localhost:4000",
+    "date": "<timestamp>",
+    "content-type": "application/json",
+    "connection": "close",
+    "cache-control": "no-cache, private"
+  },
+  "body": {
+    "data": {
+      "__typename": "Query"
+    }
+  }
+}
+</code></pre>
+</details>
+</li>
+<li><code>58B3</code> MUST use 400 status code on array {extensions} parameter
+<details>
+<summary>Response status code is not 400</summary>
+<pre><code class="lang-json">{
+  "statusText": "OK",
+  "status": 200,
+  "headers": {
+    "x-powered-by": "PHP/8.2.19",
+    "host": "localhost:4000",
+    "date": "<timestamp>",
+    "content-type": "application/json",
+    "connection": "close",
+    "cache-control": "no-cache, private"
+  },
+  "body": {
+    "data": {
+      "__typename": "Query"
+    }
+  }
+}
+</code></pre>
+</details>
+</li>
+<li><code>865D</code> MUST use 4xx or 5xx status codes on document parsing failure when accepting application/graphql-response+json
+<details>
+<summary>Response status is not between 400 and 599</summary>
 <pre><code class="lang-json">{
   "statusText": "OK",
   "status": 200,
@@ -4325,11 +4331,11 @@ The server <i>SHOULD</i> support these, but is not required.
   "body": {
     "errors": [
       {
-        "message": "Syntax Error: Expected Name, found Int \"8\"",
+        "message": "Syntax Error: Expected Name, found <EOF>",
         "locations": [
           {
             "line": 1,
-            "column": 3
+            "column": 2
           }
         ],
         "extensions": {
@@ -4343,9 +4349,9 @@ The server <i>SHOULD</i> support these, but is not required.
 </code></pre>
 </details>
 </li>
-<li><code>86EE</code> SHOULD use a status code of 400 on variable coercion failure when accepting application/graphql-response+json
+<li><code>51FE</code> MUST use 4xx or 5xx status codes on document validation failure when accepting application/graphql-response+json
 <details>
-<summary>Response status code is not 400</summary>
+<summary>Response status is not between 400 and 599</summary>
 <pre><code class="lang-json">{
   "statusText": "OK",
   "status": 200,
@@ -4360,16 +4366,16 @@ The server <i>SHOULD</i> support these, but is not required.
   "body": {
     "errors": [
       {
-        "message": "Variable \"$id\" is never used in operation \"CoerceFailure\".",
+        "message": "Syntax Error: Expected Name, found Int \"8\"",
         "locations": [
           {
             "line": 1,
-            "column": 21
+            "column": 3
           }
         ],
         "extensions": {
-          "line": 41,
-          "file": "/app/vendor/webonyx/graphql-php/src/Validator/Rules/NoUnusedVariables.php"
+          "line": 382,
+          "file": "/app/vendor/webonyx/graphql-php/src/Language/Parser.php"
         }
       }
     ]
@@ -4379,4 +4385,3 @@ The server <i>SHOULD</i> support these, but is not required.
 </details>
 </li>
 </ol>
-
diff --git a/implementations/lighthouse/report.json b/implementations/lighthouse/report.json
index 9c2ceb34..f74b313c 100644
--- a/implementations/lighthouse/report.json
+++ b/implementations/lighthouse/report.json
@@ -1,7 +1,7 @@
 {
   "total": 60,
   "ok": 33,
-  "notice": 21,
-  "warn": 6,
-  "error": 0
+  "notice": 17,
+  "warn": 3,
+  "error": 7
 }
diff --git a/implementations/mercurius/README.md b/implementations/mercurius/README.md
index 6f09dbb9..2373a8e6 100644
--- a/implementations/mercurius/README.md
+++ b/implementations/mercurius/README.md
@@ -6,8 +6,8 @@
 <li><b>60</b> audits in total</li>
 <li><span style="font-family: monospace">✅</span> <b>46</b> pass</li>
 <li><span style="font-family: monospace">💡</span> <b>6</b> notices (suggestions)</li>
-<li><span style="font-family: monospace">❗️</span> <b>7</b> warnings (optional)</li>
-<li><span style="font-family: monospace">❌</span> <b>1</b> errors (required)</li>
+<li><span style="font-family: monospace">❗️</span> <b>5</b> warnings (optional)</li>
+<li><span style="font-family: monospace">❌</span> <b>3</b> errors (required)</li>
 </ul>
 
 <h2>Passing</h2>
@@ -27,36 +27,36 @@
 <li><code>423L</code> MAY use 400 status code on missing {query} parameter</li>
 <li><code>LKJ0</code> MAY use 400 status code on object {query} parameter</li>
 <li><code>LKJ3</code> MAY use 400 status code on array {query} parameter</li>
-<li><code>34A2</code> SHOULD allow string {query} parameter when accepting application/graphql-response+json</li>
+<li><code>34A2</code> MUST allow string {query} parameter when accepting application/graphql-response+json</li>
 <li><code>13EE</code> MUST allow string {query} parameter when accepting application/json</li>
 <li><code>6C00</code> MAY use 400 status code on object {operationName} parameter</li>
 <li><code>6C03</code> MAY use 400 status code on array {operationName} parameter</li>
-<li><code>8161</code> SHOULD allow string {operationName} parameter when accepting application/graphql-response+json</li>
+<li><code>8161</code> MUST allow string {operationName} parameter when accepting application/graphql-response+json</li>
 <li><code>B8B3</code> MUST allow string {operationName} parameter when accepting application/json</li>
-<li><code>94B0</code> SHOULD allow null {variables} parameter when accepting application/graphql-response+json</li>
+<li><code>94B0</code> MUST allow null {variables} parameter when accepting application/graphql-response+json</li>
 <li><code>0220</code> MUST allow null {variables} parameter when accepting application/json</li>
-<li><code>94B1</code> SHOULD allow null {operationName} parameter when accepting application/graphql-response+json</li>
+<li><code>94B1</code> MUST allow null {operationName} parameter when accepting application/graphql-response+json</li>
 <li><code>0221</code> MUST allow null {operationName} parameter when accepting application/json</li>
 <li><code>4760</code> MAY use 400 status code on string {variables} parameter</li>
 <li><code>4763</code> MAY use 400 status code on array {variables} parameter</li>
-<li><code>2EA1</code> SHOULD allow map {variables} parameter when accepting application/graphql-response+json</li>
+<li><code>2EA1</code> MUST allow map {variables} parameter when accepting application/graphql-response+json</li>
 <li><code>28B9</code> MUST allow map {variables} parameter when accepting application/json</li>
 <li><code>D6D5</code> MAY allow URL-encoded JSON string {variables} parameter in GETs when accepting application/graphql-response+json</li>
 <li><code>6A70</code> MAY allow URL-encoded JSON string {variables} parameter in GETs when accepting application/json</li>
-<li><code>58B0</code> MAY use 400 status code on string {extensions} parameter</li>
-<li><code>58B1</code> MAY use 400 status code on number {extensions} parameter</li>
-<li><code>58B2</code> MAY use 400 status code on boolean {extensions} parameter</li>
-<li><code>58B3</code> MAY use 400 status code on array {extensions} parameter</li>
-<li><code>428F</code> SHOULD allow map {extensions} parameter when accepting application/graphql-response+json</li>
+<li><code>58B0</code> MUST use 400 status code on string {extensions} parameter</li>
+<li><code>58B1</code> MUST use 400 status code on number {extensions} parameter</li>
+<li><code>58B2</code> MUST use 400 status code on boolean {extensions} parameter</li>
+<li><code>58B3</code> MUST use 400 status code on array {extensions} parameter</li>
+<li><code>428F</code> MUST allow map {extensions} parameter when accepting application/graphql-response+json</li>
 <li><code>1B7A</code> MUST allow map {extensions} parameter when accepting application/json</li>
 <li><code>B6DC</code> MAY use 4xx or 5xx status codes on JSON parsing failure</li>
 <li><code>BCF8</code> MAY use 400 status code on JSON parsing failure</li>
 <li><code>8764</code> MAY use 4xx or 5xx status codes if parameters are invalid</li>
 <li><code>3E3A</code> MAY use 400 status code if parameters are invalid</li>
 <li><code>7B9B</code> SHOULD use a status code of 200 on variable coercion failure when accepting application/json</li>
-<li><code>865D</code> SHOULD use 4xx or 5xx status codes on document parsing failure when accepting application/graphql-response+json</li>
+<li><code>865D</code> MUST use 4xx or 5xx status codes on document parsing failure when accepting application/graphql-response+json</li>
 <li><code>556A</code> SHOULD use 400 status code on document parsing failure when accepting application/graphql-response+json</li>
-<li><code>51FE</code> SHOULD use 4xx or 5xx status codes on document validation failure when accepting application/graphql-response+json</li>
+<li><code>51FE</code> MUST use 4xx or 5xx status codes on document validation failure when accepting application/graphql-response+json</li>
 <li><code>74FF</code> SHOULD use 400 status code on document validation failure when accepting application/graphql-response+json</li>
 </ol>
 
@@ -212,53 +212,6 @@ The server <i>MAY</i> support these, but are truly optional. These are suggestio
 <h2>Warnings</h2>
 The server <i>SHOULD</i> support these, but is not required.
 <ol>
-<li><code>22EB</code> SHOULD accept application/graphql-response+json and match the content-type
-<details>
-<summary>Response header content-type does not contain application/graphql-response+json</summary>
-<pre><code class="lang-json">{
-  "statusText": "OK",
-  "status": 200,
-  "headers": {
-    "keep-alive": "timeout=72",
-    "date": "<timestamp>",
-    "content-type": "application/json; charset=utf-8",
-    "content-length": "31",
-    "connection": "keep-alive"
-  },
-  "body": {
-    "data": {
-      "__typename": "Query"
-    }
-  }
-}
-</code></pre>
-</details>
-</li>
-<li><code>94B2</code> SHOULD allow null {extensions} parameter when accepting application/graphql-response+json
-<details>
-<summary>Response status code is not 200</summary>
-<pre><code class="lang-json">{
-  "statusText": "Bad Request",
-  "status": 400,
-  "headers": {
-    "keep-alive": "timeout=72",
-    "date": "<timestamp>",
-    "content-type": "application/json; charset=utf-8",
-    "content-length": "69",
-    "connection": "keep-alive"
-  },
-  "body": {
-    "errors": [
-      {
-        "message": "body/extensions must be object"
-      }
-    ],
-    "data": null
-  }
-}
-</code></pre>
-</details>
-</li>
 <li><code>572B</code> SHOULD use 200 status code on document parsing failure when accepting application/json
 <details>
 <summary>Response status code is not 200</summary>
@@ -428,6 +381,53 @@ The server <i>SHOULD</i> support these, but is not required.
 <h2>Errors</h2>
 The server <b>MUST</b> support these.
 <ol>
+<li><code>22EB</code> MUST accept application/graphql-response+json and match the content-type
+<details>
+<summary>Response header content-type does not contain application/graphql-response+json</summary>
+<pre><code class="lang-json">{
+  "statusText": "OK",
+  "status": 200,
+  "headers": {
+    "keep-alive": "timeout=72",
+    "date": "<timestamp>",
+    "content-type": "application/json; charset=utf-8",
+    "content-length": "31",
+    "connection": "keep-alive"
+  },
+  "body": {
+    "data": {
+      "__typename": "Query"
+    }
+  }
+}
+</code></pre>
+</details>
+</li>
+<li><code>94B2</code> MUST allow null {extensions} parameter when accepting application/graphql-response+json
+<details>
+<summary>Response status code is not 200</summary>
+<pre><code class="lang-json">{
+  "statusText": "Bad Request",
+  "status": 400,
+  "headers": {
+    "keep-alive": "timeout=72",
+    "date": "<timestamp>",
+    "content-type": "application/json; charset=utf-8",
+    "content-length": "69",
+    "connection": "keep-alive"
+  },
+  "body": {
+    "errors": [
+      {
+        "message": "body/extensions must be object"
+      }
+    ],
+    "data": null
+  }
+}
+</code></pre>
+</details>
+</li>
 <li><code>0222</code> MUST allow null {extensions} parameter when accepting application/json
 <details>
 <summary>Response status code is not 200</summary>
diff --git a/implementations/mercurius/report.json b/implementations/mercurius/report.json
index d68f033b..f1686007 100644
--- a/implementations/mercurius/report.json
+++ b/implementations/mercurius/report.json
@@ -2,6 +2,6 @@
   "total": 60,
   "ok": 46,
   "notice": 6,
-  "warn": 7,
-  "error": 1
+  "warn": 5,
+  "error": 3
 }
diff --git a/implementations/postgraphile/README.md b/implementations/postgraphile/README.md
index cea994fc..66ad52c4 100644
--- a/implementations/postgraphile/README.md
+++ b/implementations/postgraphile/README.md
@@ -5,8 +5,9 @@
 <ul>
 <li><b>60</b> audits in total</li>
 <li><span style="font-family: monospace">✅</span> <b>46</b> pass</li>
-<li><span style="font-family: monospace">💡</span> <b>10</b> notices (suggestions)</li>
-<li><span style="font-family: monospace">❗️</span> <b>4</b> warnings (optional)</li>
+<li><span style="font-family: monospace">💡</span> <b>6</b> notices (suggestions)</li>
+<li><span style="font-family: monospace">❗️</span> <b>3</b> warnings (optional)</li>
+<li><span style="font-family: monospace">❌</span> <b>5</b> errors (required)</li>
 </ul>
 
 <h2>Passing</h2>
@@ -25,35 +26,35 @@
 <li><code>423L</code> MAY use 400 status code on missing {query} parameter</li>
 <li><code>LKJ1</code> MAY use 400 status code on number {query} parameter</li>
 <li><code>LKJ2</code> MAY use 400 status code on boolean {query} parameter</li>
-<li><code>34A2</code> SHOULD allow string {query} parameter when accepting application/graphql-response+json</li>
+<li><code>34A2</code> MUST allow string {query} parameter when accepting application/graphql-response+json</li>
 <li><code>13EE</code> MUST allow string {query} parameter when accepting application/json</li>
 <li><code>6C00</code> MAY use 400 status code on object {operationName} parameter</li>
 <li><code>6C01</code> MAY use 400 status code on number {operationName} parameter</li>
 <li><code>6C02</code> MAY use 400 status code on boolean {operationName} parameter</li>
 <li><code>6C03</code> MAY use 400 status code on array {operationName} parameter</li>
-<li><code>8161</code> SHOULD allow string {operationName} parameter when accepting application/graphql-response+json</li>
+<li><code>8161</code> MUST allow string {operationName} parameter when accepting application/graphql-response+json</li>
 <li><code>B8B3</code> MUST allow string {operationName} parameter when accepting application/json</li>
-<li><code>94B0</code> SHOULD allow null {variables} parameter when accepting application/graphql-response+json</li>
+<li><code>94B0</code> MUST allow null {variables} parameter when accepting application/graphql-response+json</li>
 <li><code>0220</code> MUST allow null {variables} parameter when accepting application/json</li>
-<li><code>94B1</code> SHOULD allow null {operationName} parameter when accepting application/graphql-response+json</li>
+<li><code>94B1</code> MUST allow null {operationName} parameter when accepting application/graphql-response+json</li>
 <li><code>0221</code> MUST allow null {operationName} parameter when accepting application/json</li>
-<li><code>94B2</code> SHOULD allow null {extensions} parameter when accepting application/graphql-response+json</li>
+<li><code>94B2</code> MUST allow null {extensions} parameter when accepting application/graphql-response+json</li>
 <li><code>0222</code> MUST allow null {extensions} parameter when accepting application/json</li>
 <li><code>4760</code> MAY use 400 status code on string {variables} parameter</li>
 <li><code>4761</code> MAY use 400 status code on number {variables} parameter</li>
 <li><code>4762</code> MAY use 400 status code on boolean {variables} parameter</li>
-<li><code>2EA1</code> SHOULD allow map {variables} parameter when accepting application/graphql-response+json</li>
+<li><code>2EA1</code> MUST allow map {variables} parameter when accepting application/graphql-response+json</li>
 <li><code>28B9</code> MUST allow map {variables} parameter when accepting application/json</li>
-<li><code>428F</code> SHOULD allow map {extensions} parameter when accepting application/graphql-response+json</li>
+<li><code>428F</code> MUST allow map {extensions} parameter when accepting application/graphql-response+json</li>
 <li><code>1B7A</code> MUST allow map {extensions} parameter when accepting application/json</li>
 <li><code>B6DC</code> MAY use 4xx or 5xx status codes on JSON parsing failure</li>
 <li><code>BCF8</code> MAY use 400 status code on JSON parsing failure</li>
 <li><code>8764</code> MAY use 4xx or 5xx status codes if parameters are invalid</li>
 <li><code>3E3A</code> MAY use 400 status code if parameters are invalid</li>
-<li><code>865D</code> SHOULD use 4xx or 5xx status codes on document parsing failure when accepting application/graphql-response+json</li>
+<li><code>865D</code> MUST use 4xx or 5xx status codes on document parsing failure when accepting application/graphql-response+json</li>
 <li><code>556A</code> SHOULD use 400 status code on document parsing failure when accepting application/graphql-response+json</li>
 <li><code>D586</code> SHOULD not contain the data entry on document parsing failure when accepting application/graphql-response+json</li>
-<li><code>51FE</code> SHOULD use 4xx or 5xx status codes on document validation failure when accepting application/graphql-response+json</li>
+<li><code>51FE</code> MUST use 4xx or 5xx status codes on document validation failure when accepting application/graphql-response+json</li>
 <li><code>74FF</code> SHOULD use 400 status code on document validation failure when accepting application/graphql-response+json</li>
 <li><code>5E5B</code> SHOULD not contain the data entry on document validation failure when accepting application/graphql-response+json</li>
 <li><code>86EE</code> SHOULD use a status code of 400 on variable coercion failure when accepting application/graphql-response+json</li>
@@ -207,75 +208,109 @@ The server <i>MAY</i> support these, but are truly optional. These are suggestio
 </code></pre>
 </details>
 </li>
-<li><code>58B0</code> MAY use 400 status code on string {extensions} parameter
+</ol>
+
+<h2>Warnings</h2>
+The server <i>SHOULD</i> support these, but is not required.
+<ol>
+<li><code>572B</code> SHOULD use 200 status code on document parsing failure when accepting application/json
 <details>
-<summary>Response status code is not 400</summary>
+<summary>Response status code is not 200</summary>
 <pre><code class="lang-json">{
-  "statusText": "OK",
-  "status": 200,
+  "statusText": "Bad Request",
+  "status": 400,
   "headers": {
     "keep-alive": "timeout=5",
     "date": "<timestamp>",
     "content-type": "application/json; charset=utf-8",
-    "content-length": "31",
+    "content-length": "104",
     "connection": "keep-alive"
   },
   "body": {
-    "data": {
-      "__typename": "Query"
-    }
+    "errors": [
+      {
+        "message": "Syntax Error: Expected Name, found <EOF>.",
+        "locations": [
+          {
+            "line": 1,
+            "column": 2
+          }
+        ]
+      }
+    ]
   }
 }
 </code></pre>
 </details>
 </li>
-<li><code>58B1</code> MAY use 400 status code on number {extensions} parameter
+<li><code>FDE2</code> SHOULD use 200 status code on document validation failure when accepting application/json
 <details>
-<summary>Response status code is not 400</summary>
+<summary>Response status code is not 200</summary>
 <pre><code class="lang-json">{
-  "statusText": "OK",
-  "status": 200,
+  "statusText": "Bad Request",
+  "status": 400,
   "headers": {
     "keep-alive": "timeout=5",
     "date": "<timestamp>",
     "content-type": "application/json; charset=utf-8",
-    "content-length": "31",
+    "content-length": "123",
     "connection": "keep-alive"
   },
   "body": {
-    "data": {
-      "__typename": "Query"
-    }
+    "errors": [
+      {
+        "message": "Syntax Error: Invalid number, expected digit but got: \"f\".",
+        "locations": [
+          {
+            "line": 1,
+            "column": 4
+          }
+        ]
+      }
+    ]
   }
 }
 </code></pre>
 </details>
 </li>
-<li><code>58B2</code> MAY use 400 status code on boolean {extensions} parameter
+<li><code>7B9B</code> SHOULD use a status code of 200 on variable coercion failure when accepting application/json
 <details>
-<summary>Response status code is not 400</summary>
+<summary>Response status code is not 200</summary>
 <pre><code class="lang-json">{
-  "statusText": "OK",
-  "status": 200,
+  "statusText": "Bad Request",
+  "status": 400,
   "headers": {
     "keep-alive": "timeout=5",
     "date": "<timestamp>",
     "content-type": "application/json; charset=utf-8",
-    "content-length": "31",
+    "content-length": "126",
     "connection": "keep-alive"
   },
   "body": {
-    "data": {
-      "__typename": "Query"
-    }
+    "errors": [
+      {
+        "message": "Variable \"$id\" is never used in operation \"CoerceFailure\".",
+        "locations": [
+          {
+            "line": 1,
+            "column": 21
+          }
+        ]
+      }
+    ]
   }
 }
 </code></pre>
 </details>
 </li>
-<li><code>58B3</code> MAY use 400 status code on array {extensions} parameter
+</ol>
+
+<h2>Errors</h2>
+The server <b>MUST</b> support these.
+<ol>
+<li><code>22EB</code> MUST accept application/graphql-response+json and match the content-type
 <details>
-<summary>Response status code is not 400</summary>
+<summary>Response header content-type does not contain application/graphql-response+json</summary>
 <pre><code class="lang-json">{
   "statusText": "OK",
   "status": 200,
@@ -295,14 +330,9 @@ The server <i>MAY</i> support these, but are truly optional. These are suggestio
 </code></pre>
 </details>
 </li>
-</ol>
-
-<h2>Warnings</h2>
-The server <i>SHOULD</i> support these, but is not required.
-<ol>
-<li><code>22EB</code> SHOULD accept application/graphql-response+json and match the content-type
+<li><code>58B0</code> MUST use 400 status code on string {extensions} parameter
 <details>
-<summary>Response header content-type does not contain application/graphql-response+json</summary>
+<summary>Response status code is not 400</summary>
 <pre><code class="lang-json">{
   "statusText": "OK",
   "status": 200,
@@ -322,95 +352,70 @@ The server <i>SHOULD</i> support these, but is not required.
 </code></pre>
 </details>
 </li>
-<li><code>572B</code> SHOULD use 200 status code on document parsing failure when accepting application/json
+<li><code>58B1</code> MUST use 400 status code on number {extensions} parameter
 <details>
-<summary>Response status code is not 200</summary>
+<summary>Response status code is not 400</summary>
 <pre><code class="lang-json">{
-  "statusText": "Bad Request",
-  "status": 400,
+  "statusText": "OK",
+  "status": 200,
   "headers": {
     "keep-alive": "timeout=5",
     "date": "<timestamp>",
     "content-type": "application/json; charset=utf-8",
-    "content-length": "104",
+    "content-length": "31",
     "connection": "keep-alive"
   },
   "body": {
-    "errors": [
-      {
-        "message": "Syntax Error: Expected Name, found <EOF>.",
-        "locations": [
-          {
-            "line": 1,
-            "column": 2
-          }
-        ]
-      }
-    ]
+    "data": {
+      "__typename": "Query"
+    }
   }
 }
 </code></pre>
 </details>
 </li>
-<li><code>FDE2</code> SHOULD use 200 status code on document validation failure when accepting application/json
+<li><code>58B2</code> MUST use 400 status code on boolean {extensions} parameter
 <details>
-<summary>Response status code is not 200</summary>
+<summary>Response status code is not 400</summary>
 <pre><code class="lang-json">{
-  "statusText": "Bad Request",
-  "status": 400,
+  "statusText": "OK",
+  "status": 200,
   "headers": {
     "keep-alive": "timeout=5",
     "date": "<timestamp>",
     "content-type": "application/json; charset=utf-8",
-    "content-length": "123",
+    "content-length": "31",
     "connection": "keep-alive"
   },
   "body": {
-    "errors": [
-      {
-        "message": "Syntax Error: Invalid number, expected digit but got: \"f\".",
-        "locations": [
-          {
-            "line": 1,
-            "column": 4
-          }
-        ]
-      }
-    ]
+    "data": {
+      "__typename": "Query"
+    }
   }
 }
 </code></pre>
 </details>
 </li>
-<li><code>7B9B</code> SHOULD use a status code of 200 on variable coercion failure when accepting application/json
+<li><code>58B3</code> MUST use 400 status code on array {extensions} parameter
 <details>
-<summary>Response status code is not 200</summary>
+<summary>Response status code is not 400</summary>
 <pre><code class="lang-json">{
-  "statusText": "Bad Request",
-  "status": 400,
+  "statusText": "OK",
+  "status": 200,
   "headers": {
     "keep-alive": "timeout=5",
     "date": "<timestamp>",
     "content-type": "application/json; charset=utf-8",
-    "content-length": "126",
+    "content-length": "31",
     "connection": "keep-alive"
   },
   "body": {
-    "errors": [
-      {
-        "message": "Variable \"$id\" is never used in operation \"CoerceFailure\".",
-        "locations": [
-          {
-            "line": 1,
-            "column": 21
-          }
-        ]
-      }
-    ]
+    "data": {
+      "__typename": "Query"
+    }
   }
 }
 </code></pre>
 </details>
 </li>
 </ol>
-
diff --git a/implementations/postgraphile/report.json b/implementations/postgraphile/report.json
index af61c47d..f325f96c 100644
--- a/implementations/postgraphile/report.json
+++ b/implementations/postgraphile/report.json
@@ -1,7 +1,7 @@
 {
   "total": 60,
   "ok": 46,
-  "notice": 10,
-  "warn": 4,
-  "error": 0
+  "notice": 6,
+  "warn": 3,
+  "error": 5
 }
diff --git a/implementations/thegraph/README.md b/implementations/thegraph/README.md
index 7f76bee8..d321ef68 100644
--- a/implementations/thegraph/README.md
+++ b/implementations/thegraph/README.md
@@ -5,9 +5,9 @@
 <ul>
 <li><b>60</b> audits in total</li>
 <li><span style="font-family: monospace">✅</span> <b>19</b> pass</li>
-<li><span style="font-family: monospace">💡</span> <b>25</b> notices (suggestions)</li>
-<li><span style="font-family: monospace">❗️</span> <b>9</b> warnings (optional)</li>
-<li><span style="font-family: monospace">❌</span> <b>7</b> errors (required)</li>
+<li><span style="font-family: monospace">💡</span> <b>21</b> notices (suggestions)</li>
+<li><span style="font-family: monospace">❗️</span> <b>3</b> warnings (optional)</li>
+<li><span style="font-family: monospace">❌</span> <b>17</b> errors (required)</li>
 </ul>
 
 <h2>Passing</h2>
@@ -21,11 +21,11 @@
 <li><code>2C94</code> MUST accept POST requests</li>
 <li><code>5A70</code> MAY accept application/x-www-form-urlencoded formatted GET requests</li>
 <li><code>03D4</code> MUST accept application/json POST requests</li>
-<li><code>34A2</code> SHOULD allow string {query} parameter when accepting application/graphql-response+json</li>
-<li><code>8161</code> SHOULD allow string {operationName} parameter when accepting application/graphql-response+json</li>
-<li><code>2EA1</code> SHOULD allow map {variables} parameter when accepting application/graphql-response+json</li>
+<li><code>34A2</code> MUST allow string {query} parameter when accepting application/graphql-response+json</li>
+<li><code>8161</code> MUST allow string {operationName} parameter when accepting application/graphql-response+json</li>
+<li><code>2EA1</code> MUST allow map {variables} parameter when accepting application/graphql-response+json</li>
 <li><code>D6D5</code> MAY allow URL-encoded JSON string {variables} parameter in GETs when accepting application/graphql-response+json</li>
-<li><code>428F</code> SHOULD allow map {extensions} parameter when accepting application/graphql-response+json</li>
+<li><code>428F</code> MUST allow map {extensions} parameter when accepting application/graphql-response+json</li>
 <li><code>572B</code> SHOULD use 200 status code on document parsing failure when accepting application/json</li>
 <li><code>FDE2</code> SHOULD use 200 status code on document validation failure when accepting application/json</li>
 <li><code>7B9B</code> SHOULD use a status code of 200 on variable coercion failure when accepting application/json</li>
@@ -614,9 +614,9 @@ The server <i>MAY</i> support these, but are truly optional. These are suggestio
 </code></pre>
 </details>
 </li>
-<li><code>58B0</code> MAY use 400 status code on string {extensions} parameter
+<li><code>B6DC</code> MAY use 4xx or 5xx status codes on JSON parsing failure
 <details>
-<summary>Response status code is not 400</summary>
+<summary>Response status is not between 400 and 499</summary>
 <pre><code class="lang-json">{
   "statusText": "OK",
   "status": 200,
@@ -648,7 +648,7 @@ The server <i>MAY</i> support these, but are truly optional. These are suggestio
 </code></pre>
 </details>
 </li>
-<li><code>58B1</code> MAY use 400 status code on number {extensions} parameter
+<li><code>BCF8</code> MAY use 400 status code on JSON parsing failure
 <details>
 <summary>Response status code is not 400</summary>
 <pre><code class="lang-json">{
@@ -682,9 +682,9 @@ The server <i>MAY</i> support these, but are truly optional. These are suggestio
 </code></pre>
 </details>
 </li>
-<li><code>58B2</code> MAY use 400 status code on boolean {extensions} parameter
+<li><code>8764</code> MAY use 4xx or 5xx status codes if parameters are invalid
 <details>
-<summary>Response status code is not 400</summary>
+<summary>Response status is not between 400 and 599</summary>
 <pre><code class="lang-json">{
   "statusText": "OK",
   "status": 200,
@@ -716,7 +716,7 @@ The server <i>MAY</i> support these, but are truly optional. These are suggestio
 </code></pre>
 </details>
 </li>
-<li><code>58B3</code> MAY use 400 status code on array {extensions} parameter
+<li><code>3E3A</code> MAY use 400 status code if parameters are invalid
 <details>
 <summary>Response status code is not 400</summary>
 <pre><code class="lang-json">{
@@ -750,9 +750,14 @@ The server <i>MAY</i> support these, but are truly optional. These are suggestio
 </code></pre>
 </details>
 </li>
-<li><code>B6DC</code> MAY use 4xx or 5xx status codes on JSON parsing failure
+</ol>
+
+<h2>Warnings</h2>
+The server <i>SHOULD</i> support these, but is not required.
+<ol>
+<li><code>556A</code> SHOULD use 400 status code on document parsing failure when accepting application/graphql-response+json
 <details>
-<summary>Response status is not between 400 and 499</summary>
+<summary>Response status code is not 400</summary>
 <pre><code class="lang-json">{
   "statusText": "OK",
   "status": 200,
@@ -784,7 +789,7 @@ The server <i>MAY</i> support these, but are truly optional. These are suggestio
 </code></pre>
 </details>
 </li>
-<li><code>BCF8</code> MAY use 400 status code on JSON parsing failure
+<li><code>74FF</code> SHOULD use 400 status code on document validation failure when accepting application/graphql-response+json
 <details>
 <summary>Response status code is not 400</summary>
 <pre><code class="lang-json">{
@@ -818,9 +823,9 @@ The server <i>MAY</i> support these, but are truly optional. These are suggestio
 </code></pre>
 </details>
 </li>
-<li><code>8764</code> MAY use 4xx or 5xx status codes if parameters are invalid
+<li><code>86EE</code> SHOULD use a status code of 400 on variable coercion failure when accepting application/graphql-response+json
 <details>
-<summary>Response status is not between 400 and 599</summary>
+<summary>Response status code is not 400</summary>
 <pre><code class="lang-json">{
   "statusText": "OK",
   "status": 200,
@@ -852,9 +857,14 @@ The server <i>MAY</i> support these, but are truly optional. These are suggestio
 </code></pre>
 </details>
 </li>
-<li><code>3E3A</code> MAY use 400 status code if parameters are invalid
+</ol>
+
+<h2>Errors</h2>
+The server <b>MUST</b> support these.
+<ol>
+<li><code>22EB</code> MUST accept application/graphql-response+json and match the content-type
 <details>
-<summary>Response status code is not 400</summary>
+<summary>Response header content-type does not contain application/graphql-response+json</summary>
 <pre><code class="lang-json">{
   "statusText": "OK",
   "status": 200,
@@ -886,14 +896,9 @@ The server <i>MAY</i> support these, but are truly optional. These are suggestio
 </code></pre>
 </details>
 </li>
-</ol>
-
-<h2>Warnings</h2>
-The server <i>SHOULD</i> support these, but is not required.
-<ol>
-<li><code>22EB</code> SHOULD accept application/graphql-response+json and match the content-type
+<li><code>13EE</code> MUST allow string {query} parameter when accepting application/json
 <details>
-<summary>Response header content-type does not contain application/graphql-response+json</summary>
+<summary>Response body execution result has a property "errors"</summary>
 <pre><code class="lang-json">{
   "statusText": "OK",
   "status": 200,
@@ -925,7 +930,7 @@ The server <i>SHOULD</i> support these, but is not required.
 </code></pre>
 </details>
 </li>
-<li><code>94B0</code> SHOULD allow null {variables} parameter when accepting application/graphql-response+json
+<li><code>B8B3</code> MUST allow string {operationName} parameter when accepting application/json
 <details>
 <summary>Response body execution result has a property "errors"</summary>
 <pre><code class="lang-json">{
@@ -959,7 +964,7 @@ The server <i>SHOULD</i> support these, but is not required.
 </code></pre>
 </details>
 </li>
-<li><code>94B1</code> SHOULD allow null {operationName} parameter when accepting application/graphql-response+json
+<li><code>94B0</code> MUST allow null {variables} parameter when accepting application/graphql-response+json
 <details>
 <summary>Response body execution result has a property "errors"</summary>
 <pre><code class="lang-json">{
@@ -993,7 +998,7 @@ The server <i>SHOULD</i> support these, but is not required.
 </code></pre>
 </details>
 </li>
-<li><code>94B2</code> SHOULD allow null {extensions} parameter when accepting application/graphql-response+json
+<li><code>0220</code> MUST allow null {variables} parameter when accepting application/json
 <details>
 <summary>Response body execution result has a property "errors"</summary>
 <pre><code class="lang-json">{
@@ -1027,9 +1032,9 @@ The server <i>SHOULD</i> support these, but is not required.
 </code></pre>
 </details>
 </li>
-<li><code>865D</code> SHOULD use 4xx or 5xx status codes on document parsing failure when accepting application/graphql-response+json
+<li><code>94B1</code> MUST allow null {operationName} parameter when accepting application/graphql-response+json
 <details>
-<summary>Response status is not between 400 and 599</summary>
+<summary>Response body execution result has a property "errors"</summary>
 <pre><code class="lang-json">{
   "statusText": "OK",
   "status": 200,
@@ -1061,9 +1066,9 @@ The server <i>SHOULD</i> support these, but is not required.
 </code></pre>
 </details>
 </li>
-<li><code>556A</code> SHOULD use 400 status code on document parsing failure when accepting application/graphql-response+json
+<li><code>0221</code> MUST allow null {operationName} parameter when accepting application/json
 <details>
-<summary>Response status code is not 400</summary>
+<summary>Response body execution result has a property "errors"</summary>
 <pre><code class="lang-json">{
   "statusText": "OK",
   "status": 200,
@@ -1095,9 +1100,9 @@ The server <i>SHOULD</i> support these, but is not required.
 </code></pre>
 </details>
 </li>
-<li><code>51FE</code> SHOULD use 4xx or 5xx status codes on document validation failure when accepting application/graphql-response+json
+<li><code>94B2</code> MUST allow null {extensions} parameter when accepting application/graphql-response+json
 <details>
-<summary>Response status is not between 400 and 599</summary>
+<summary>Response body execution result has a property "errors"</summary>
 <pre><code class="lang-json">{
   "statusText": "OK",
   "status": 200,
@@ -1129,9 +1134,9 @@ The server <i>SHOULD</i> support these, but is not required.
 </code></pre>
 </details>
 </li>
-<li><code>74FF</code> SHOULD use 400 status code on document validation failure when accepting application/graphql-response+json
+<li><code>0222</code> MUST allow null {extensions} parameter when accepting application/json
 <details>
-<summary>Response status code is not 400</summary>
+<summary>Response body execution result has a property "errors"</summary>
 <pre><code class="lang-json">{
   "statusText": "OK",
   "status": 200,
@@ -1163,9 +1168,9 @@ The server <i>SHOULD</i> support these, but is not required.
 </code></pre>
 </details>
 </li>
-<li><code>86EE</code> SHOULD use a status code of 400 on variable coercion failure when accepting application/graphql-response+json
+<li><code>28B9</code> MUST allow map {variables} parameter when accepting application/json
 <details>
-<summary>Response status code is not 400</summary>
+<summary>Response body execution result has a property "errors"</summary>
 <pre><code class="lang-json">{
   "statusText": "OK",
   "status": 200,
@@ -1197,14 +1202,9 @@ The server <i>SHOULD</i> support these, but is not required.
 </code></pre>
 </details>
 </li>
-</ol>
-
-<h2>Errors</h2>
-The server <b>MUST</b> support these.
-<ol>
-<li><code>13EE</code> MUST allow string {query} parameter when accepting application/json
+<li><code>58B0</code> MUST use 400 status code on string {extensions} parameter
 <details>
-<summary>Response body execution result has a property "errors"</summary>
+<summary>Response status code is not 400</summary>
 <pre><code class="lang-json">{
   "statusText": "OK",
   "status": 200,
@@ -1236,9 +1236,9 @@ The server <b>MUST</b> support these.
 </code></pre>
 </details>
 </li>
-<li><code>B8B3</code> MUST allow string {operationName} parameter when accepting application/json
+<li><code>58B1</code> MUST use 400 status code on number {extensions} parameter
 <details>
-<summary>Response body execution result has a property "errors"</summary>
+<summary>Response status code is not 400</summary>
 <pre><code class="lang-json">{
   "statusText": "OK",
   "status": 200,
@@ -1270,9 +1270,9 @@ The server <b>MUST</b> support these.
 </code></pre>
 </details>
 </li>
-<li><code>0220</code> MUST allow null {variables} parameter when accepting application/json
+<li><code>58B2</code> MUST use 400 status code on boolean {extensions} parameter
 <details>
-<summary>Response body execution result has a property "errors"</summary>
+<summary>Response status code is not 400</summary>
 <pre><code class="lang-json">{
   "statusText": "OK",
   "status": 200,
@@ -1304,9 +1304,9 @@ The server <b>MUST</b> support these.
 </code></pre>
 </details>
 </li>
-<li><code>0221</code> MUST allow null {operationName} parameter when accepting application/json
+<li><code>58B3</code> MUST use 400 status code on array {extensions} parameter
 <details>
-<summary>Response body execution result has a property "errors"</summary>
+<summary>Response status code is not 400</summary>
 <pre><code class="lang-json">{
   "statusText": "OK",
   "status": 200,
@@ -1338,7 +1338,7 @@ The server <b>MUST</b> support these.
 </code></pre>
 </details>
 </li>
-<li><code>0222</code> MUST allow null {extensions} parameter when accepting application/json
+<li><code>1B7A</code> MUST allow map {extensions} parameter when accepting application/json
 <details>
 <summary>Response body execution result has a property "errors"</summary>
 <pre><code class="lang-json">{
@@ -1372,9 +1372,9 @@ The server <b>MUST</b> support these.
 </code></pre>
 </details>
 </li>
-<li><code>28B9</code> MUST allow map {variables} parameter when accepting application/json
+<li><code>865D</code> MUST use 4xx or 5xx status codes on document parsing failure when accepting application/graphql-response+json
 <details>
-<summary>Response body execution result has a property "errors"</summary>
+<summary>Response status is not between 400 and 599</summary>
 <pre><code class="lang-json">{
   "statusText": "OK",
   "status": 200,
@@ -1406,9 +1406,9 @@ The server <b>MUST</b> support these.
 </code></pre>
 </details>
 </li>
-<li><code>1B7A</code> MUST allow map {extensions} parameter when accepting application/json
+<li><code>51FE</code> MUST use 4xx or 5xx status codes on document validation failure when accepting application/graphql-response+json
 <details>
-<summary>Response body execution result has a property "errors"</summary>
+<summary>Response status is not between 400 and 599</summary>
 <pre><code class="lang-json">{
   "statusText": "OK",
   "status": 200,
diff --git a/implementations/thegraph/report.json b/implementations/thegraph/report.json
index 22374362..13fd278b 100644
--- a/implementations/thegraph/report.json
+++ b/implementations/thegraph/report.json
@@ -1,7 +1,7 @@
 {
   "total": 60,
   "ok": 19,
-  "notice": 25,
-  "warn": 9,
-  "error": 7
+  "notice": 21,
+  "warn": 3,
+  "error": 17
 }

From 2aae445070c877d9d55daa466cc15809b5c60f1f Mon Sep 17 00:00:00 2001
From: Denis Badurina <denis@denelop.com>
Date: Thu, 23 Jan 2025 17:21:56 +0100
Subject: [PATCH 3/6] validation error audits

---
 src/audits/server.ts | 51 +++++++++++++++++++++++++++++++++++++++++---
 1 file changed, 48 insertions(+), 3 deletions(-)

diff --git a/src/audits/server.ts b/src/audits/server.ts
index 702acc20..739a059e 100644
--- a/src/audits/server.ts
+++ b/src/audits/server.ts
@@ -491,24 +491,69 @@ export function serverAudits(opts: ServerAuditOptions): Audit[] {
         await ressert(res).bodyAsExecutionResult.notToHaveProperty('errors');
       },
     ),
+    ...['string', 0, false, ['array']].map((invalid, index) =>
+      audit(
+        `028${index}`,
+        `MUST use 4xx or 5xx status codes on ${extendedTypeof(
+          invalid,
+        )} {extensions} parameter when accepting application/graphql-response+json`,
+        async () => {
+          const res = await fetchFn(await getUrl(opts.url), {
+            method: 'POST',
+            headers: {
+              'content-type': 'application/json',
+              accept: 'application/graphql-response+json',
+            },
+            body: JSON.stringify({
+              query: '{ __typename }',
+              extensions: invalid,
+            }),
+          });
+          ressert(res).status.toBeBetween(400, 599);
+        },
+      ),
+    ),
+    ...['string', 0, false, ['array']].map((invalid, index) =>
+      audit(
+        `233${index}`,
+        `SHOULD use 4xx status code on ${extendedTypeof(
+          invalid,
+        )} {extensions} parameter when accepting application/graphql-response+json`,
+        async () => {
+          const res = await fetchFn(await getUrl(opts.url), {
+            method: 'POST',
+            headers: {
+              'content-type': 'application/json',
+              accept: 'application/graphql-response+json',
+            },
+            body: JSON.stringify({
+              query: '{ __typename }',
+              extensions: invalid,
+            }),
+          });
+          ressert(res).status.toBeBetween(400, 499);
+        },
+      ),
+    ),
     ...['string', 0, false, ['array']].map((invalid, index) =>
       audit(
         `58B${index}`,
-        `MUST use 400 status code on ${extendedTypeof(
+        `SHOULD use 4xx or 5xx status codes on ${extendedTypeof(
           invalid,
-        )} {extensions} parameter`,
+        )} {extensions} parameter when accepting application/json`,
         async () => {
           const res = await fetchFn(await getUrl(opts.url), {
             method: 'POST',
             headers: {
               'content-type': 'application/json',
+              accept: 'application/json',
             },
             body: JSON.stringify({
               query: '{ __typename }',
               extensions: invalid,
             }),
           });
-          ressert(res).status.toBe(400);
+          ressert(res).status.toBeBetween(400, 599);
         },
       ),
     ),

From 55e8a815180bcd2f9e8d897917262ccf3ea2aa50 Mon Sep 17 00:00:00 2001
From: theguild-bot <bot@the-guild.dev>
Date: Thu, 23 Jan 2025 16:24:51 +0000
Subject: [PATCH 4/6] docs(implementations): audit report

---
 implementations/apollo-server/README.md     |  20 +-
 implementations/apollo-server/report.json   |   4 +-
 implementations/deno/README.md              | 192 +++++++------
 implementations/deno/report.json            |   8 +-
 implementations/express-graphql/README.md   | 212 +++++++++++++-
 implementations/express-graphql/report.json |   4 +-
 implementations/graph-client/README.md      |  20 +-
 implementations/graph-client/report.json    |   4 +-
 implementations/graphql-helix/README.md     | 204 +++++++++++++-
 implementations/graphql-helix/report.json   |   4 +-
 implementations/graphql-yoga/README.md      |  20 +-
 implementations/graphql-yoga/report.json    |   4 +-
 implementations/hotchocolate/README.md      | 146 +++++++++-
 implementations/hotchocolate/report.json    |   6 +-
 implementations/lighthouse/README.md        | 204 +++++++++++++-
 implementations/lighthouse/report.json      |   4 +-
 implementations/mercurius/README.md         |  20 +-
 implementations/mercurius/report.json       |   4 +-
 implementations/postgraphile/README.md      | 196 ++++++++++++-
 implementations/postgraphile/report.json    |   4 +-
 implementations/thegraph/README.md          | 292 +++++++++++++++++++-
 implementations/thegraph/report.json        |   4 +-
 22 files changed, 1378 insertions(+), 198 deletions(-)

diff --git a/implementations/apollo-server/README.md b/implementations/apollo-server/README.md
index 8f4cdacd..5ac5e89d 100644
--- a/implementations/apollo-server/README.md
+++ b/implementations/apollo-server/README.md
@@ -3,8 +3,8 @@
 <h1>GraphQL over HTTP audit report</h1>
 
 <ul>
-<li><b>60</b> audits in total</li>
-<li><span style="font-family: monospace">✅</span> <b>54</b> pass</li>
+<li><b>68</b> audits in total</li>
+<li><span style="font-family: monospace">✅</span> <b>62</b> pass</li>
 <li><span style="font-family: monospace">💡</span> <b>3</b> notices (suggestions)</li>
 <li><span style="font-family: monospace">❗️</span> <b>3</b> warnings (optional)</li>
 </ul>
@@ -48,10 +48,18 @@
 <li><code>4763</code> MAY use 400 status code on array {variables} parameter</li>
 <li><code>2EA1</code> MUST allow map {variables} parameter when accepting application/graphql-response+json</li>
 <li><code>28B9</code> MUST allow map {variables} parameter when accepting application/json</li>
-<li><code>58B0</code> MUST use 400 status code on string {extensions} parameter</li>
-<li><code>58B1</code> MUST use 400 status code on number {extensions} parameter</li>
-<li><code>58B2</code> MUST use 400 status code on boolean {extensions} parameter</li>
-<li><code>58B3</code> MUST use 400 status code on array {extensions} parameter</li>
+<li><code>0280</code> MUST use 4xx or 5xx status codes on string {extensions} parameter when accepting application/graphql-response+json</li>
+<li><code>0281</code> MUST use 4xx or 5xx status codes on number {extensions} parameter when accepting application/graphql-response+json</li>
+<li><code>0282</code> MUST use 4xx or 5xx status codes on boolean {extensions} parameter when accepting application/graphql-response+json</li>
+<li><code>0283</code> MUST use 4xx or 5xx status codes on array {extensions} parameter when accepting application/graphql-response+json</li>
+<li><code>2330</code> SHOULD use 4xx status code on string {extensions} parameter when accepting application/graphql-response+json</li>
+<li><code>2331</code> SHOULD use 4xx status code on number {extensions} parameter when accepting application/graphql-response+json</li>
+<li><code>2332</code> SHOULD use 4xx status code on boolean {extensions} parameter when accepting application/graphql-response+json</li>
+<li><code>2333</code> SHOULD use 4xx status code on array {extensions} parameter when accepting application/graphql-response+json</li>
+<li><code>58B0</code> SHOULD use 4xx or 5xx status codes on string {extensions} parameter when accepting application/json</li>
+<li><code>58B1</code> SHOULD use 4xx or 5xx status codes on number {extensions} parameter when accepting application/json</li>
+<li><code>58B2</code> SHOULD use 4xx or 5xx status codes on boolean {extensions} parameter when accepting application/json</li>
+<li><code>58B3</code> SHOULD use 4xx or 5xx status codes on array {extensions} parameter when accepting application/json</li>
 <li><code>428F</code> MUST allow map {extensions} parameter when accepting application/graphql-response+json</li>
 <li><code>1B7A</code> MUST allow map {extensions} parameter when accepting application/json</li>
 <li><code>B6DC</code> MAY use 4xx or 5xx status codes on JSON parsing failure</li>
diff --git a/implementations/apollo-server/report.json b/implementations/apollo-server/report.json
index 2476acfc..c5c3d982 100644
--- a/implementations/apollo-server/report.json
+++ b/implementations/apollo-server/report.json
@@ -1,6 +1,6 @@
 {
-  "total": 60,
-  "ok": 54,
+  "total": 68,
+  "ok": 62,
   "notice": 3,
   "warn": 3,
   "error": 0
diff --git a/implementations/deno/README.md b/implementations/deno/README.md
index 2b841a92..a8cd49c1 100644
--- a/implementations/deno/README.md
+++ b/implementations/deno/README.md
@@ -3,11 +3,11 @@
 <h1>GraphQL over HTTP audit report</h1>
 
 <ul>
-<li><b>60</b> audits in total</li>
-<li><span style="font-family: monospace">✅</span> <b>29</b> pass</li>
+<li><b>68</b> audits in total</li>
+<li><span style="font-family: monospace">✅</span> <b>37</b> pass</li>
 <li><span style="font-family: monospace">💡</span> <b>14</b> notices (suggestions)</li>
-<li><span style="font-family: monospace">❗️</span> <b>5</b> warnings (optional)</li>
-<li><span style="font-family: monospace">❌</span> <b>12</b> errors (required)</li>
+<li><span style="font-family: monospace">❗️</span> <b>9</b> warnings (optional)</li>
+<li><span style="font-family: monospace">❌</span> <b>8</b> errors (required)</li>
 </ul>
 
 <h2>Passing</h2>
@@ -33,6 +33,14 @@
 <li><code>4761</code> MAY use 400 status code on number {variables} parameter</li>
 <li><code>4762</code> MAY use 400 status code on boolean {variables} parameter</li>
 <li><code>28B9</code> MUST allow map {variables} parameter when accepting application/json</li>
+<li><code>0280</code> MUST use 4xx or 5xx status codes on string {extensions} parameter when accepting application/graphql-response+json</li>
+<li><code>0281</code> MUST use 4xx or 5xx status codes on number {extensions} parameter when accepting application/graphql-response+json</li>
+<li><code>0282</code> MUST use 4xx or 5xx status codes on boolean {extensions} parameter when accepting application/graphql-response+json</li>
+<li><code>0283</code> MUST use 4xx or 5xx status codes on array {extensions} parameter when accepting application/graphql-response+json</li>
+<li><code>2330</code> SHOULD use 4xx status code on string {extensions} parameter when accepting application/graphql-response+json</li>
+<li><code>2331</code> SHOULD use 4xx status code on number {extensions} parameter when accepting application/graphql-response+json</li>
+<li><code>2332</code> SHOULD use 4xx status code on boolean {extensions} parameter when accepting application/graphql-response+json</li>
+<li><code>2333</code> SHOULD use 4xx status code on array {extensions} parameter when accepting application/graphql-response+json</li>
 <li><code>1B7A</code> MUST allow map {extensions} parameter when accepting application/json</li>
 <li><code>B6DC</code> MAY use 4xx or 5xx status codes on JSON parsing failure</li>
 <li><code>BCF8</code> MAY use 400 status code on JSON parsing failure</li>
@@ -365,6 +373,94 @@ The server <i>MAY</i> support these, but are truly optional. These are suggestio
 <h2>Warnings</h2>
 The server <i>SHOULD</i> support these, but is not required.
 <ol>
+<li><code>58B0</code> SHOULD use 4xx or 5xx status codes on string {extensions} parameter when accepting application/json
+<details>
+<summary>Response status is not between 400 and 599</summary>
+<pre><code class="lang-json">{
+  "statusText": "OK",
+  "status": 200,
+  "headers": {
+    "vary": "Accept-Encoding",
+    "date": "<timestamp>",
+    "content-type": "application/json",
+    "content-length": "59",
+    "content-encoding": "gzip"
+  },
+  "body": {
+    "data": {
+      "__typename": "Query"
+    }
+  }
+}
+</code></pre>
+</details>
+</li>
+<li><code>58B1</code> SHOULD use 4xx or 5xx status codes on number {extensions} parameter when accepting application/json
+<details>
+<summary>Response status is not between 400 and 599</summary>
+<pre><code class="lang-json">{
+  "statusText": "OK",
+  "status": 200,
+  "headers": {
+    "vary": "Accept-Encoding",
+    "date": "<timestamp>",
+    "content-type": "application/json",
+    "content-length": "59",
+    "content-encoding": "gzip"
+  },
+  "body": {
+    "data": {
+      "__typename": "Query"
+    }
+  }
+}
+</code></pre>
+</details>
+</li>
+<li><code>58B2</code> SHOULD use 4xx or 5xx status codes on boolean {extensions} parameter when accepting application/json
+<details>
+<summary>Response status is not between 400 and 599</summary>
+<pre><code class="lang-json">{
+  "statusText": "OK",
+  "status": 200,
+  "headers": {
+    "vary": "Accept-Encoding",
+    "date": "<timestamp>",
+    "content-type": "application/json",
+    "content-length": "59",
+    "content-encoding": "gzip"
+  },
+  "body": {
+    "data": {
+      "__typename": "Query"
+    }
+  }
+}
+</code></pre>
+</details>
+</li>
+<li><code>58B3</code> SHOULD use 4xx or 5xx status codes on array {extensions} parameter when accepting application/json
+<details>
+<summary>Response status is not between 400 and 599</summary>
+<pre><code class="lang-json">{
+  "statusText": "OK",
+  "status": 200,
+  "headers": {
+    "vary": "Accept-Encoding",
+    "date": "<timestamp>",
+    "content-type": "application/json",
+    "content-length": "59",
+    "content-encoding": "gzip"
+  },
+  "body": {
+    "data": {
+      "__typename": "Query"
+    }
+  }
+}
+</code></pre>
+</details>
+</li>
 <li><code>556A</code> SHOULD use 400 status code on document parsing failure when accepting application/graphql-response+json
 <details>
 <summary>Response status code is not 400</summary>
@@ -574,94 +670,6 @@ The server <b>MUST</b> support these.
 </code></pre>
 </details>
 </li>
-<li><code>58B0</code> MUST use 400 status code on string {extensions} parameter
-<details>
-<summary>Response status code is not 400</summary>
-<pre><code class="lang-json">{
-  "statusText": "OK",
-  "status": 200,
-  "headers": {
-    "vary": "Accept-Encoding",
-    "date": "<timestamp>",
-    "content-type": "application/json",
-    "content-length": "59",
-    "content-encoding": "gzip"
-  },
-  "body": {
-    "data": {
-      "__typename": "Query"
-    }
-  }
-}
-</code></pre>
-</details>
-</li>
-<li><code>58B1</code> MUST use 400 status code on number {extensions} parameter
-<details>
-<summary>Response status code is not 400</summary>
-<pre><code class="lang-json">{
-  "statusText": "OK",
-  "status": 200,
-  "headers": {
-    "vary": "Accept-Encoding",
-    "date": "<timestamp>",
-    "content-type": "application/json",
-    "content-length": "59",
-    "content-encoding": "gzip"
-  },
-  "body": {
-    "data": {
-      "__typename": "Query"
-    }
-  }
-}
-</code></pre>
-</details>
-</li>
-<li><code>58B2</code> MUST use 400 status code on boolean {extensions} parameter
-<details>
-<summary>Response status code is not 400</summary>
-<pre><code class="lang-json">{
-  "statusText": "OK",
-  "status": 200,
-  "headers": {
-    "vary": "Accept-Encoding",
-    "date": "<timestamp>",
-    "content-type": "application/json",
-    "content-length": "59",
-    "content-encoding": "gzip"
-  },
-  "body": {
-    "data": {
-      "__typename": "Query"
-    }
-  }
-}
-</code></pre>
-</details>
-</li>
-<li><code>58B3</code> MUST use 400 status code on array {extensions} parameter
-<details>
-<summary>Response status code is not 400</summary>
-<pre><code class="lang-json">{
-  "statusText": "OK",
-  "status": 200,
-  "headers": {
-    "vary": "Accept-Encoding",
-    "date": "<timestamp>",
-    "content-type": "application/json",
-    "content-length": "59",
-    "content-encoding": "gzip"
-  },
-  "body": {
-    "data": {
-      "__typename": "Query"
-    }
-  }
-}
-</code></pre>
-</details>
-</li>
 <li><code>428F</code> MUST allow map {extensions} parameter when accepting application/graphql-response+json
 <details>
 <summary>Response status code is not 200</summary>
diff --git a/implementations/deno/report.json b/implementations/deno/report.json
index 2422feeb..41591878 100644
--- a/implementations/deno/report.json
+++ b/implementations/deno/report.json
@@ -1,7 +1,7 @@
 {
-  "total": 60,
-  "ok": 29,
+  "total": 68,
+  "ok": 37,
   "notice": 14,
-  "warn": 5,
-  "error": 12
+  "warn": 9,
+  "error": 8
 }
diff --git a/implementations/express-graphql/README.md b/implementations/express-graphql/README.md
index 2b646c62..7cc3be99 100644
--- a/implementations/express-graphql/README.md
+++ b/implementations/express-graphql/README.md
@@ -3,10 +3,10 @@
 <h1>GraphQL over HTTP audit report</h1>
 
 <ul>
-<li><b>60</b> audits in total</li>
+<li><b>68</b> audits in total</li>
 <li><span style="font-family: monospace">✅</span> <b>45</b> pass</li>
 <li><span style="font-family: monospace">💡</span> <b>7</b> notices (suggestions)</li>
-<li><span style="font-family: monospace">❗️</span> <b>3</b> warnings (optional)</li>
+<li><span style="font-family: monospace">❗️</span> <b>11</b> warnings (optional)</li>
 <li><span style="font-family: monospace">❌</span> <b>5</b> errors (required)</li>
 </ul>
 
@@ -235,6 +235,198 @@ The server <i>MAY</i> support these, but are truly optional. These are suggestio
 <h2>Warnings</h2>
 The server <i>SHOULD</i> support these, but is not required.
 <ol>
+<li><code>2330</code> SHOULD use 4xx status code on string {extensions} parameter when accepting application/graphql-response+json
+<details>
+<summary>Response status is not between 400 and 499</summary>
+<pre><code class="lang-json">{
+  "statusText": "OK",
+  "status": 200,
+  "headers": {
+    "x-powered-by": "Express",
+    "keep-alive": "timeout=5",
+    "etag": "W/\"1f-yOwhVHjWKeagyuteVuktj+6mcMg\"",
+    "date": "<timestamp>",
+    "content-type": "application/json; charset=utf-8",
+    "content-length": "31",
+    "connection": "keep-alive"
+  },
+  "body": {
+    "data": {
+      "__typename": "Query"
+    }
+  }
+}
+</code></pre>
+</details>
+</li>
+<li><code>2331</code> SHOULD use 4xx status code on number {extensions} parameter when accepting application/graphql-response+json
+<details>
+<summary>Response status is not between 400 and 499</summary>
+<pre><code class="lang-json">{
+  "statusText": "OK",
+  "status": 200,
+  "headers": {
+    "x-powered-by": "Express",
+    "keep-alive": "timeout=5",
+    "etag": "W/\"1f-yOwhVHjWKeagyuteVuktj+6mcMg\"",
+    "date": "<timestamp>",
+    "content-type": "application/json; charset=utf-8",
+    "content-length": "31",
+    "connection": "keep-alive"
+  },
+  "body": {
+    "data": {
+      "__typename": "Query"
+    }
+  }
+}
+</code></pre>
+</details>
+</li>
+<li><code>2332</code> SHOULD use 4xx status code on boolean {extensions} parameter when accepting application/graphql-response+json
+<details>
+<summary>Response status is not between 400 and 499</summary>
+<pre><code class="lang-json">{
+  "statusText": "OK",
+  "status": 200,
+  "headers": {
+    "x-powered-by": "Express",
+    "keep-alive": "timeout=5",
+    "etag": "W/\"1f-yOwhVHjWKeagyuteVuktj+6mcMg\"",
+    "date": "<timestamp>",
+    "content-type": "application/json; charset=utf-8",
+    "content-length": "31",
+    "connection": "keep-alive"
+  },
+  "body": {
+    "data": {
+      "__typename": "Query"
+    }
+  }
+}
+</code></pre>
+</details>
+</li>
+<li><code>2333</code> SHOULD use 4xx status code on array {extensions} parameter when accepting application/graphql-response+json
+<details>
+<summary>Response status is not between 400 and 499</summary>
+<pre><code class="lang-json">{
+  "statusText": "OK",
+  "status": 200,
+  "headers": {
+    "x-powered-by": "Express",
+    "keep-alive": "timeout=5",
+    "etag": "W/\"1f-yOwhVHjWKeagyuteVuktj+6mcMg\"",
+    "date": "<timestamp>",
+    "content-type": "application/json; charset=utf-8",
+    "content-length": "31",
+    "connection": "keep-alive"
+  },
+  "body": {
+    "data": {
+      "__typename": "Query"
+    }
+  }
+}
+</code></pre>
+</details>
+</li>
+<li><code>58B0</code> SHOULD use 4xx or 5xx status codes on string {extensions} parameter when accepting application/json
+<details>
+<summary>Response status is not between 400 and 599</summary>
+<pre><code class="lang-json">{
+  "statusText": "OK",
+  "status": 200,
+  "headers": {
+    "x-powered-by": "Express",
+    "keep-alive": "timeout=5",
+    "etag": "W/\"1f-yOwhVHjWKeagyuteVuktj+6mcMg\"",
+    "date": "<timestamp>",
+    "content-type": "application/json; charset=utf-8",
+    "content-length": "31",
+    "connection": "keep-alive"
+  },
+  "body": {
+    "data": {
+      "__typename": "Query"
+    }
+  }
+}
+</code></pre>
+</details>
+</li>
+<li><code>58B1</code> SHOULD use 4xx or 5xx status codes on number {extensions} parameter when accepting application/json
+<details>
+<summary>Response status is not between 400 and 599</summary>
+<pre><code class="lang-json">{
+  "statusText": "OK",
+  "status": 200,
+  "headers": {
+    "x-powered-by": "Express",
+    "keep-alive": "timeout=5",
+    "etag": "W/\"1f-yOwhVHjWKeagyuteVuktj+6mcMg\"",
+    "date": "<timestamp>",
+    "content-type": "application/json; charset=utf-8",
+    "content-length": "31",
+    "connection": "keep-alive"
+  },
+  "body": {
+    "data": {
+      "__typename": "Query"
+    }
+  }
+}
+</code></pre>
+</details>
+</li>
+<li><code>58B2</code> SHOULD use 4xx or 5xx status codes on boolean {extensions} parameter when accepting application/json
+<details>
+<summary>Response status is not between 400 and 599</summary>
+<pre><code class="lang-json">{
+  "statusText": "OK",
+  "status": 200,
+  "headers": {
+    "x-powered-by": "Express",
+    "keep-alive": "timeout=5",
+    "etag": "W/\"1f-yOwhVHjWKeagyuteVuktj+6mcMg\"",
+    "date": "<timestamp>",
+    "content-type": "application/json; charset=utf-8",
+    "content-length": "31",
+    "connection": "keep-alive"
+  },
+  "body": {
+    "data": {
+      "__typename": "Query"
+    }
+  }
+}
+</code></pre>
+</details>
+</li>
+<li><code>58B3</code> SHOULD use 4xx or 5xx status codes on array {extensions} parameter when accepting application/json
+<details>
+<summary>Response status is not between 400 and 599</summary>
+<pre><code class="lang-json">{
+  "statusText": "OK",
+  "status": 200,
+  "headers": {
+    "x-powered-by": "Express",
+    "keep-alive": "timeout=5",
+    "etag": "W/\"1f-yOwhVHjWKeagyuteVuktj+6mcMg\"",
+    "date": "<timestamp>",
+    "content-type": "application/json; charset=utf-8",
+    "content-length": "31",
+    "connection": "keep-alive"
+  },
+  "body": {
+    "data": {
+      "__typename": "Query"
+    }
+  }
+}
+</code></pre>
+</details>
+</li>
 <li><code>572B</code> SHOULD use 200 status code on document parsing failure when accepting application/json
 <details>
 <summary>Response status code is not 200</summary>
@@ -369,9 +561,9 @@ The server <b>MUST</b> support these.
 </code></pre>
 </details>
 </li>
-<li><code>58B0</code> MUST use 400 status code on string {extensions} parameter
+<li><code>0280</code> MUST use 4xx or 5xx status codes on string {extensions} parameter when accepting application/graphql-response+json
 <details>
-<summary>Response status code is not 400</summary>
+<summary>Response status is not between 400 and 599</summary>
 <pre><code class="lang-json">{
   "statusText": "OK",
   "status": 200,
@@ -393,9 +585,9 @@ The server <b>MUST</b> support these.
 </code></pre>
 </details>
 </li>
-<li><code>58B1</code> MUST use 400 status code on number {extensions} parameter
+<li><code>0281</code> MUST use 4xx or 5xx status codes on number {extensions} parameter when accepting application/graphql-response+json
 <details>
-<summary>Response status code is not 400</summary>
+<summary>Response status is not between 400 and 599</summary>
 <pre><code class="lang-json">{
   "statusText": "OK",
   "status": 200,
@@ -417,9 +609,9 @@ The server <b>MUST</b> support these.
 </code></pre>
 </details>
 </li>
-<li><code>58B2</code> MUST use 400 status code on boolean {extensions} parameter
+<li><code>0282</code> MUST use 4xx or 5xx status codes on boolean {extensions} parameter when accepting application/graphql-response+json
 <details>
-<summary>Response status code is not 400</summary>
+<summary>Response status is not between 400 and 599</summary>
 <pre><code class="lang-json">{
   "statusText": "OK",
   "status": 200,
@@ -441,9 +633,9 @@ The server <b>MUST</b> support these.
 </code></pre>
 </details>
 </li>
-<li><code>58B3</code> MUST use 400 status code on array {extensions} parameter
+<li><code>0283</code> MUST use 4xx or 5xx status codes on array {extensions} parameter when accepting application/graphql-response+json
 <details>
-<summary>Response status code is not 400</summary>
+<summary>Response status is not between 400 and 599</summary>
 <pre><code class="lang-json">{
   "statusText": "OK",
   "status": 200,
diff --git a/implementations/express-graphql/report.json b/implementations/express-graphql/report.json
index 03056bbe..7f98e925 100644
--- a/implementations/express-graphql/report.json
+++ b/implementations/express-graphql/report.json
@@ -1,7 +1,7 @@
 {
-  "total": 60,
+  "total": 68,
   "ok": 45,
   "notice": 7,
-  "warn": 3,
+  "warn": 11,
   "error": 5
 }
diff --git a/implementations/graph-client/README.md b/implementations/graph-client/README.md
index cac189ac..531a36cc 100644
--- a/implementations/graph-client/README.md
+++ b/implementations/graph-client/README.md
@@ -3,8 +3,8 @@
 <h1>GraphQL over HTTP audit report</h1>
 
 <ul>
-<li><b>60</b> audits in total</li>
-<li><span style="font-family: monospace">✅</span> <b>57</b> pass</li>
+<li><b>68</b> audits in total</li>
+<li><span style="font-family: monospace">✅</span> <b>65</b> pass</li>
 <li><span style="font-family: monospace">💡</span> <b>3</b> notices (suggestions)</li>
 </ul>
 
@@ -49,10 +49,18 @@
 <li><code>28B9</code> MUST allow map {variables} parameter when accepting application/json</li>
 <li><code>D6D5</code> MAY allow URL-encoded JSON string {variables} parameter in GETs when accepting application/graphql-response+json</li>
 <li><code>6A70</code> MAY allow URL-encoded JSON string {variables} parameter in GETs when accepting application/json</li>
-<li><code>58B0</code> MUST use 400 status code on string {extensions} parameter</li>
-<li><code>58B1</code> MUST use 400 status code on number {extensions} parameter</li>
-<li><code>58B2</code> MUST use 400 status code on boolean {extensions} parameter</li>
-<li><code>58B3</code> MUST use 400 status code on array {extensions} parameter</li>
+<li><code>0280</code> MUST use 4xx or 5xx status codes on string {extensions} parameter when accepting application/graphql-response+json</li>
+<li><code>0281</code> MUST use 4xx or 5xx status codes on number {extensions} parameter when accepting application/graphql-response+json</li>
+<li><code>0282</code> MUST use 4xx or 5xx status codes on boolean {extensions} parameter when accepting application/graphql-response+json</li>
+<li><code>0283</code> MUST use 4xx or 5xx status codes on array {extensions} parameter when accepting application/graphql-response+json</li>
+<li><code>2330</code> SHOULD use 4xx status code on string {extensions} parameter when accepting application/graphql-response+json</li>
+<li><code>2331</code> SHOULD use 4xx status code on number {extensions} parameter when accepting application/graphql-response+json</li>
+<li><code>2332</code> SHOULD use 4xx status code on boolean {extensions} parameter when accepting application/graphql-response+json</li>
+<li><code>2333</code> SHOULD use 4xx status code on array {extensions} parameter when accepting application/graphql-response+json</li>
+<li><code>58B0</code> SHOULD use 4xx or 5xx status codes on string {extensions} parameter when accepting application/json</li>
+<li><code>58B1</code> SHOULD use 4xx or 5xx status codes on number {extensions} parameter when accepting application/json</li>
+<li><code>58B2</code> SHOULD use 4xx or 5xx status codes on boolean {extensions} parameter when accepting application/json</li>
+<li><code>58B3</code> SHOULD use 4xx or 5xx status codes on array {extensions} parameter when accepting application/json</li>
 <li><code>428F</code> MUST allow map {extensions} parameter when accepting application/graphql-response+json</li>
 <li><code>1B7A</code> MUST allow map {extensions} parameter when accepting application/json</li>
 <li><code>8764</code> MAY use 4xx or 5xx status codes if parameters are invalid</li>
diff --git a/implementations/graph-client/report.json b/implementations/graph-client/report.json
index 17ae4227..ab91c153 100644
--- a/implementations/graph-client/report.json
+++ b/implementations/graph-client/report.json
@@ -1,6 +1,6 @@
 {
-  "total": 60,
-  "ok": 57,
+  "total": 68,
+  "ok": 65,
   "notice": 3,
   "warn": 0,
   "error": 0
diff --git a/implementations/graphql-helix/README.md b/implementations/graphql-helix/README.md
index 46ce3ddc..c3366b42 100644
--- a/implementations/graphql-helix/README.md
+++ b/implementations/graphql-helix/README.md
@@ -3,10 +3,10 @@
 <h1>GraphQL over HTTP audit report</h1>
 
 <ul>
-<li><b>60</b> audits in total</li>
+<li><b>68</b> audits in total</li>
 <li><span style="font-family: monospace">✅</span> <b>49</b> pass</li>
 <li><span style="font-family: monospace">💡</span> <b>3</b> notices (suggestions)</li>
-<li><span style="font-family: monospace">❗️</span> <b>3</b> warnings (optional)</li>
+<li><span style="font-family: monospace">❗️</span> <b>11</b> warnings (optional)</li>
 <li><span style="font-family: monospace">❌</span> <b>5</b> errors (required)</li>
 </ul>
 
@@ -140,6 +140,190 @@ The server <i>MAY</i> support these, but are truly optional. These are suggestio
 <h2>Warnings</h2>
 The server <i>SHOULD</i> support these, but is not required.
 <ol>
+<li><code>2330</code> SHOULD use 4xx status code on string {extensions} parameter when accepting application/graphql-response+json
+<details>
+<summary>Response status is not between 400 and 499</summary>
+<pre><code class="lang-json">{
+  "statusText": "OK",
+  "status": 200,
+  "headers": {
+    "x-powered-by": "Express",
+    "keep-alive": "timeout=5",
+    "date": "<timestamp>",
+    "content-type": "application/json",
+    "content-length": "31",
+    "connection": "keep-alive"
+  },
+  "body": {
+    "data": {
+      "__typename": "Query"
+    }
+  }
+}
+</code></pre>
+</details>
+</li>
+<li><code>2331</code> SHOULD use 4xx status code on number {extensions} parameter when accepting application/graphql-response+json
+<details>
+<summary>Response status is not between 400 and 499</summary>
+<pre><code class="lang-json">{
+  "statusText": "OK",
+  "status": 200,
+  "headers": {
+    "x-powered-by": "Express",
+    "keep-alive": "timeout=5",
+    "date": "<timestamp>",
+    "content-type": "application/json",
+    "content-length": "31",
+    "connection": "keep-alive"
+  },
+  "body": {
+    "data": {
+      "__typename": "Query"
+    }
+  }
+}
+</code></pre>
+</details>
+</li>
+<li><code>2332</code> SHOULD use 4xx status code on boolean {extensions} parameter when accepting application/graphql-response+json
+<details>
+<summary>Response status is not between 400 and 499</summary>
+<pre><code class="lang-json">{
+  "statusText": "OK",
+  "status": 200,
+  "headers": {
+    "x-powered-by": "Express",
+    "keep-alive": "timeout=5",
+    "date": "<timestamp>",
+    "content-type": "application/json",
+    "content-length": "31",
+    "connection": "keep-alive"
+  },
+  "body": {
+    "data": {
+      "__typename": "Query"
+    }
+  }
+}
+</code></pre>
+</details>
+</li>
+<li><code>2333</code> SHOULD use 4xx status code on array {extensions} parameter when accepting application/graphql-response+json
+<details>
+<summary>Response status is not between 400 and 499</summary>
+<pre><code class="lang-json">{
+  "statusText": "OK",
+  "status": 200,
+  "headers": {
+    "x-powered-by": "Express",
+    "keep-alive": "timeout=5",
+    "date": "<timestamp>",
+    "content-type": "application/json",
+    "content-length": "31",
+    "connection": "keep-alive"
+  },
+  "body": {
+    "data": {
+      "__typename": "Query"
+    }
+  }
+}
+</code></pre>
+</details>
+</li>
+<li><code>58B0</code> SHOULD use 4xx or 5xx status codes on string {extensions} parameter when accepting application/json
+<details>
+<summary>Response status is not between 400 and 599</summary>
+<pre><code class="lang-json">{
+  "statusText": "OK",
+  "status": 200,
+  "headers": {
+    "x-powered-by": "Express",
+    "keep-alive": "timeout=5",
+    "date": "<timestamp>",
+    "content-type": "application/json",
+    "content-length": "31",
+    "connection": "keep-alive"
+  },
+  "body": {
+    "data": {
+      "__typename": "Query"
+    }
+  }
+}
+</code></pre>
+</details>
+</li>
+<li><code>58B1</code> SHOULD use 4xx or 5xx status codes on number {extensions} parameter when accepting application/json
+<details>
+<summary>Response status is not between 400 and 599</summary>
+<pre><code class="lang-json">{
+  "statusText": "OK",
+  "status": 200,
+  "headers": {
+    "x-powered-by": "Express",
+    "keep-alive": "timeout=5",
+    "date": "<timestamp>",
+    "content-type": "application/json",
+    "content-length": "31",
+    "connection": "keep-alive"
+  },
+  "body": {
+    "data": {
+      "__typename": "Query"
+    }
+  }
+}
+</code></pre>
+</details>
+</li>
+<li><code>58B2</code> SHOULD use 4xx or 5xx status codes on boolean {extensions} parameter when accepting application/json
+<details>
+<summary>Response status is not between 400 and 599</summary>
+<pre><code class="lang-json">{
+  "statusText": "OK",
+  "status": 200,
+  "headers": {
+    "x-powered-by": "Express",
+    "keep-alive": "timeout=5",
+    "date": "<timestamp>",
+    "content-type": "application/json",
+    "content-length": "31",
+    "connection": "keep-alive"
+  },
+  "body": {
+    "data": {
+      "__typename": "Query"
+    }
+  }
+}
+</code></pre>
+</details>
+</li>
+<li><code>58B3</code> SHOULD use 4xx or 5xx status codes on array {extensions} parameter when accepting application/json
+<details>
+<summary>Response status is not between 400 and 599</summary>
+<pre><code class="lang-json">{
+  "statusText": "OK",
+  "status": 200,
+  "headers": {
+    "x-powered-by": "Express",
+    "keep-alive": "timeout=5",
+    "date": "<timestamp>",
+    "content-type": "application/json",
+    "content-length": "31",
+    "connection": "keep-alive"
+  },
+  "body": {
+    "data": {
+      "__typename": "Query"
+    }
+  }
+}
+</code></pre>
+</details>
+</li>
 <li><code>572B</code> SHOULD use 200 status code on document parsing failure when accepting application/json
 <details>
 <summary>Response status code is not 200</summary>
@@ -270,9 +454,9 @@ The server <b>MUST</b> support these.
 </code></pre>
 </details>
 </li>
-<li><code>58B0</code> MUST use 400 status code on string {extensions} parameter
+<li><code>0280</code> MUST use 4xx or 5xx status codes on string {extensions} parameter when accepting application/graphql-response+json
 <details>
-<summary>Response status code is not 400</summary>
+<summary>Response status is not between 400 and 599</summary>
 <pre><code class="lang-json">{
   "statusText": "OK",
   "status": 200,
@@ -293,9 +477,9 @@ The server <b>MUST</b> support these.
 </code></pre>
 </details>
 </li>
-<li><code>58B1</code> MUST use 400 status code on number {extensions} parameter
+<li><code>0281</code> MUST use 4xx or 5xx status codes on number {extensions} parameter when accepting application/graphql-response+json
 <details>
-<summary>Response status code is not 400</summary>
+<summary>Response status is not between 400 and 599</summary>
 <pre><code class="lang-json">{
   "statusText": "OK",
   "status": 200,
@@ -316,9 +500,9 @@ The server <b>MUST</b> support these.
 </code></pre>
 </details>
 </li>
-<li><code>58B2</code> MUST use 400 status code on boolean {extensions} parameter
+<li><code>0282</code> MUST use 4xx or 5xx status codes on boolean {extensions} parameter when accepting application/graphql-response+json
 <details>
-<summary>Response status code is not 400</summary>
+<summary>Response status is not between 400 and 599</summary>
 <pre><code class="lang-json">{
   "statusText": "OK",
   "status": 200,
@@ -339,9 +523,9 @@ The server <b>MUST</b> support these.
 </code></pre>
 </details>
 </li>
-<li><code>58B3</code> MUST use 400 status code on array {extensions} parameter
+<li><code>0283</code> MUST use 4xx or 5xx status codes on array {extensions} parameter when accepting application/graphql-response+json
 <details>
-<summary>Response status code is not 400</summary>
+<summary>Response status is not between 400 and 599</summary>
 <pre><code class="lang-json">{
   "statusText": "OK",
   "status": 200,
diff --git a/implementations/graphql-helix/report.json b/implementations/graphql-helix/report.json
index 3d69c639..36eb9d6f 100644
--- a/implementations/graphql-helix/report.json
+++ b/implementations/graphql-helix/report.json
@@ -1,7 +1,7 @@
 {
-  "total": 60,
+  "total": 68,
   "ok": 49,
   "notice": 3,
-  "warn": 3,
+  "warn": 11,
   "error": 5
 }
diff --git a/implementations/graphql-yoga/README.md b/implementations/graphql-yoga/README.md
index 7555d3f0..21cf804b 100644
--- a/implementations/graphql-yoga/README.md
+++ b/implementations/graphql-yoga/README.md
@@ -3,8 +3,8 @@
 <h1>GraphQL over HTTP audit report</h1>
 
 <ul>
-<li><b>60</b> audits in total</li>
-<li><span style="font-family: monospace">✅</span> <b>60</b> pass</li>
+<li><b>68</b> audits in total</li>
+<li><span style="font-family: monospace">✅</span> <b>68</b> pass</li>
 </ul>
 
 <h2>Passing</h2>
@@ -49,10 +49,18 @@
 <li><code>28B9</code> MUST allow map {variables} parameter when accepting application/json</li>
 <li><code>D6D5</code> MAY allow URL-encoded JSON string {variables} parameter in GETs when accepting application/graphql-response+json</li>
 <li><code>6A70</code> MAY allow URL-encoded JSON string {variables} parameter in GETs when accepting application/json</li>
-<li><code>58B0</code> MUST use 400 status code on string {extensions} parameter</li>
-<li><code>58B1</code> MUST use 400 status code on number {extensions} parameter</li>
-<li><code>58B2</code> MUST use 400 status code on boolean {extensions} parameter</li>
-<li><code>58B3</code> MUST use 400 status code on array {extensions} parameter</li>
+<li><code>0280</code> MUST use 4xx or 5xx status codes on string {extensions} parameter when accepting application/graphql-response+json</li>
+<li><code>0281</code> MUST use 4xx or 5xx status codes on number {extensions} parameter when accepting application/graphql-response+json</li>
+<li><code>0282</code> MUST use 4xx or 5xx status codes on boolean {extensions} parameter when accepting application/graphql-response+json</li>
+<li><code>0283</code> MUST use 4xx or 5xx status codes on array {extensions} parameter when accepting application/graphql-response+json</li>
+<li><code>2330</code> SHOULD use 4xx status code on string {extensions} parameter when accepting application/graphql-response+json</li>
+<li><code>2331</code> SHOULD use 4xx status code on number {extensions} parameter when accepting application/graphql-response+json</li>
+<li><code>2332</code> SHOULD use 4xx status code on boolean {extensions} parameter when accepting application/graphql-response+json</li>
+<li><code>2333</code> SHOULD use 4xx status code on array {extensions} parameter when accepting application/graphql-response+json</li>
+<li><code>58B0</code> SHOULD use 4xx or 5xx status codes on string {extensions} parameter when accepting application/json</li>
+<li><code>58B1</code> SHOULD use 4xx or 5xx status codes on number {extensions} parameter when accepting application/json</li>
+<li><code>58B2</code> SHOULD use 4xx or 5xx status codes on boolean {extensions} parameter when accepting application/json</li>
+<li><code>58B3</code> SHOULD use 4xx or 5xx status codes on array {extensions} parameter when accepting application/json</li>
 <li><code>428F</code> MUST allow map {extensions} parameter when accepting application/graphql-response+json</li>
 <li><code>1B7A</code> MUST allow map {extensions} parameter when accepting application/json</li>
 <li><code>B6DC</code> MAY use 4xx or 5xx status codes on JSON parsing failure</li>
diff --git a/implementations/graphql-yoga/report.json b/implementations/graphql-yoga/report.json
index d19c440b..562cbede 100644
--- a/implementations/graphql-yoga/report.json
+++ b/implementations/graphql-yoga/report.json
@@ -1,6 +1,6 @@
 {
-  "total": 60,
-  "ok": 60,
+  "total": 68,
+  "ok": 68,
   "notice": 0,
   "warn": 0,
   "error": 0
diff --git a/implementations/hotchocolate/README.md b/implementations/hotchocolate/README.md
index 902cd383..6a1205c1 100644
--- a/implementations/hotchocolate/README.md
+++ b/implementations/hotchocolate/README.md
@@ -3,9 +3,9 @@
 <h1>GraphQL over HTTP audit report</h1>
 
 <ul>
-<li><b>60</b> audits in total</li>
-<li><span style="font-family: monospace">✅</span> <b>58</b> pass</li>
-<li><span style="font-family: monospace">❗️</span> <b>2</b> warnings (optional)</li>
+<li><b>68</b> audits in total</li>
+<li><span style="font-family: monospace">✅</span> <b>62</b> pass</li>
+<li><span style="font-family: monospace">❗️</span> <b>6</b> warnings (optional)</li>
 </ul>
 
 <h2>Passing</h2>
@@ -48,10 +48,14 @@
 <li><code>28B9</code> MUST allow map {variables} parameter when accepting application/json</li>
 <li><code>D6D5</code> MAY allow URL-encoded JSON string {variables} parameter in GETs when accepting application/graphql-response+json</li>
 <li><code>6A70</code> MAY allow URL-encoded JSON string {variables} parameter in GETs when accepting application/json</li>
-<li><code>58B0</code> MUST use 400 status code on string {extensions} parameter</li>
-<li><code>58B1</code> MUST use 400 status code on number {extensions} parameter</li>
-<li><code>58B2</code> MUST use 400 status code on boolean {extensions} parameter</li>
-<li><code>58B3</code> MUST use 400 status code on array {extensions} parameter</li>
+<li><code>0280</code> MUST use 4xx or 5xx status codes on string {extensions} parameter when accepting application/graphql-response+json</li>
+<li><code>0281</code> MUST use 4xx or 5xx status codes on number {extensions} parameter when accepting application/graphql-response+json</li>
+<li><code>0282</code> MUST use 4xx or 5xx status codes on boolean {extensions} parameter when accepting application/graphql-response+json</li>
+<li><code>0283</code> MUST use 4xx or 5xx status codes on array {extensions} parameter when accepting application/graphql-response+json</li>
+<li><code>2330</code> SHOULD use 4xx status code on string {extensions} parameter when accepting application/graphql-response+json</li>
+<li><code>2331</code> SHOULD use 4xx status code on number {extensions} parameter when accepting application/graphql-response+json</li>
+<li><code>2332</code> SHOULD use 4xx status code on boolean {extensions} parameter when accepting application/graphql-response+json</li>
+<li><code>2333</code> SHOULD use 4xx status code on array {extensions} parameter when accepting application/graphql-response+json</li>
 <li><code>428F</code> MUST allow map {extensions} parameter when accepting application/graphql-response+json</li>
 <li><code>1B7A</code> MUST allow map {extensions} parameter when accepting application/json</li>
 <li><code>B6DC</code> MAY use 4xx or 5xx status codes on JSON parsing failure</li>
@@ -115,5 +119,133 @@ The server <i>SHOULD</i> support these, but is not required.
 </code></pre>
 </details>
 </li>
+<li><code>58B0</code> SHOULD use 4xx or 5xx status codes on string {extensions} parameter when accepting application/json
+<details>
+<summary>Response status is not between 400 and 599</summary>
+<pre><code class="lang-json">{
+  "statusText": "OK",
+  "status": 200,
+  "headers": {
+    "transfer-encoding": "chunked",
+    "server": "Kestrel",
+    "date": "<timestamp>",
+    "content-type": "application/json; charset=utf-8"
+  },
+  "body": {
+    "errors": [
+      {
+        "message": "Expected an object or a null-token, but found a String-token with value `string`.",
+        "locations": [
+          {
+            "line": 1,
+            "column": 40
+          }
+        ],
+        "extensions": {
+          "code": "HC0011"
+        }
+      }
+    ]
+  }
+}
+</code></pre>
+</details>
+</li>
+<li><code>58B1</code> SHOULD use 4xx or 5xx status codes on number {extensions} parameter when accepting application/json
+<details>
+<summary>Response status is not between 400 and 599</summary>
+<pre><code class="lang-json">{
+  "statusText": "OK",
+  "status": 200,
+  "headers": {
+    "transfer-encoding": "chunked",
+    "server": "Kestrel",
+    "date": "<timestamp>",
+    "content-type": "application/json; charset=utf-8"
+  },
+  "body": {
+    "errors": [
+      {
+        "message": "Expected an object or a null-token, but found a Integer-token with value `0`.",
+        "locations": [
+          {
+            "line": 1,
+            "column": 40
+          }
+        ],
+        "extensions": {
+          "code": "HC0011"
+        }
+      }
+    ]
+  }
+}
+</code></pre>
+</details>
+</li>
+<li><code>58B2</code> SHOULD use 4xx or 5xx status codes on boolean {extensions} parameter when accepting application/json
+<details>
+<summary>Response status is not between 400 and 599</summary>
+<pre><code class="lang-json">{
+  "statusText": "OK",
+  "status": 200,
+  "headers": {
+    "transfer-encoding": "chunked",
+    "server": "Kestrel",
+    "date": "<timestamp>",
+    "content-type": "application/json; charset=utf-8"
+  },
+  "body": {
+    "errors": [
+      {
+        "message": "Expected an object or a null-token, but found a Name-token with value `false`.",
+        "locations": [
+          {
+            "line": 1,
+            "column": 40
+          }
+        ],
+        "extensions": {
+          "code": "HC0011"
+        }
+      }
+    ]
+  }
+}
+</code></pre>
+</details>
+</li>
+<li><code>58B3</code> SHOULD use 4xx or 5xx status codes on array {extensions} parameter when accepting application/json
+<details>
+<summary>Response status is not between 400 and 599</summary>
+<pre><code class="lang-json">{
+  "statusText": "OK",
+  "status": 200,
+  "headers": {
+    "transfer-encoding": "chunked",
+    "server": "Kestrel",
+    "date": "<timestamp>",
+    "content-type": "application/json; charset=utf-8"
+  },
+  "body": {
+    "errors": [
+      {
+        "message": "Expected an object or a null-token, but found a LeftBracket-token with value ``.",
+        "locations": [
+          {
+            "line": 1,
+            "column": 40
+          }
+        ],
+        "extensions": {
+          "code": "HC0011"
+        }
+      }
+    ]
+  }
+}
+</code></pre>
+</details>
+</li>
 </ol>
 
diff --git a/implementations/hotchocolate/report.json b/implementations/hotchocolate/report.json
index ddfc3f4e..05a4235b 100644
--- a/implementations/hotchocolate/report.json
+++ b/implementations/hotchocolate/report.json
@@ -1,7 +1,7 @@
 {
-  "total": 60,
-  "ok": 58,
+  "total": 68,
+  "ok": 62,
   "notice": 0,
-  "warn": 2,
+  "warn": 6,
   "error": 0
 }
diff --git a/implementations/lighthouse/README.md b/implementations/lighthouse/README.md
index fb3ce764..0e8f3536 100644
--- a/implementations/lighthouse/README.md
+++ b/implementations/lighthouse/README.md
@@ -3,10 +3,10 @@
 <h1>GraphQL over HTTP audit report</h1>
 
 <ul>
-<li><b>60</b> audits in total</li>
+<li><b>68</b> audits in total</li>
 <li><span style="font-family: monospace">✅</span> <b>33</b> pass</li>
 <li><span style="font-family: monospace">💡</span> <b>17</b> notices (suggestions)</li>
-<li><span style="font-family: monospace">❗️</span> <b>3</b> warnings (optional)</li>
+<li><span style="font-family: monospace">❗️</span> <b>11</b> warnings (optional)</li>
 <li><span style="font-family: monospace">❌</span> <b>7</b> errors (required)</li>
 </ul>
 
@@ -4089,6 +4089,190 @@ The server <i>MAY</i> support these, but are truly optional. These are suggestio
 <h2>Warnings</h2>
 The server <i>SHOULD</i> support these, but is not required.
 <ol>
+<li><code>2330</code> SHOULD use 4xx status code on string {extensions} parameter when accepting application/graphql-response+json
+<details>
+<summary>Response status is not between 400 and 499</summary>
+<pre><code class="lang-json">{
+  "statusText": "OK",
+  "status": 200,
+  "headers": {
+    "x-powered-by": "PHP/8.2.19",
+    "host": "localhost:4000",
+    "date": "<timestamp>",
+    "content-type": "application/json",
+    "connection": "close",
+    "cache-control": "no-cache, private"
+  },
+  "body": {
+    "data": {
+      "__typename": "Query"
+    }
+  }
+}
+</code></pre>
+</details>
+</li>
+<li><code>2331</code> SHOULD use 4xx status code on number {extensions} parameter when accepting application/graphql-response+json
+<details>
+<summary>Response status is not between 400 and 499</summary>
+<pre><code class="lang-json">{
+  "statusText": "OK",
+  "status": 200,
+  "headers": {
+    "x-powered-by": "PHP/8.2.19",
+    "host": "localhost:4000",
+    "date": "<timestamp>",
+    "content-type": "application/json",
+    "connection": "close",
+    "cache-control": "no-cache, private"
+  },
+  "body": {
+    "data": {
+      "__typename": "Query"
+    }
+  }
+}
+</code></pre>
+</details>
+</li>
+<li><code>2332</code> SHOULD use 4xx status code on boolean {extensions} parameter when accepting application/graphql-response+json
+<details>
+<summary>Response status is not between 400 and 499</summary>
+<pre><code class="lang-json">{
+  "statusText": "OK",
+  "status": 200,
+  "headers": {
+    "x-powered-by": "PHP/8.2.19",
+    "host": "localhost:4000",
+    "date": "<timestamp>",
+    "content-type": "application/json",
+    "connection": "close",
+    "cache-control": "no-cache, private"
+  },
+  "body": {
+    "data": {
+      "__typename": "Query"
+    }
+  }
+}
+</code></pre>
+</details>
+</li>
+<li><code>2333</code> SHOULD use 4xx status code on array {extensions} parameter when accepting application/graphql-response+json
+<details>
+<summary>Response status is not between 400 and 499</summary>
+<pre><code class="lang-json">{
+  "statusText": "OK",
+  "status": 200,
+  "headers": {
+    "x-powered-by": "PHP/8.2.19",
+    "host": "localhost:4000",
+    "date": "<timestamp>",
+    "content-type": "application/json",
+    "connection": "close",
+    "cache-control": "no-cache, private"
+  },
+  "body": {
+    "data": {
+      "__typename": "Query"
+    }
+  }
+}
+</code></pre>
+</details>
+</li>
+<li><code>58B0</code> SHOULD use 4xx or 5xx status codes on string {extensions} parameter when accepting application/json
+<details>
+<summary>Response status is not between 400 and 599</summary>
+<pre><code class="lang-json">{
+  "statusText": "OK",
+  "status": 200,
+  "headers": {
+    "x-powered-by": "PHP/8.2.19",
+    "host": "localhost:4000",
+    "date": "<timestamp>",
+    "content-type": "application/json",
+    "connection": "close",
+    "cache-control": "no-cache, private"
+  },
+  "body": {
+    "data": {
+      "__typename": "Query"
+    }
+  }
+}
+</code></pre>
+</details>
+</li>
+<li><code>58B1</code> SHOULD use 4xx or 5xx status codes on number {extensions} parameter when accepting application/json
+<details>
+<summary>Response status is not between 400 and 599</summary>
+<pre><code class="lang-json">{
+  "statusText": "OK",
+  "status": 200,
+  "headers": {
+    "x-powered-by": "PHP/8.2.19",
+    "host": "localhost:4000",
+    "date": "<timestamp>",
+    "content-type": "application/json",
+    "connection": "close",
+    "cache-control": "no-cache, private"
+  },
+  "body": {
+    "data": {
+      "__typename": "Query"
+    }
+  }
+}
+</code></pre>
+</details>
+</li>
+<li><code>58B2</code> SHOULD use 4xx or 5xx status codes on boolean {extensions} parameter when accepting application/json
+<details>
+<summary>Response status is not between 400 and 599</summary>
+<pre><code class="lang-json">{
+  "statusText": "OK",
+  "status": 200,
+  "headers": {
+    "x-powered-by": "PHP/8.2.19",
+    "host": "localhost:4000",
+    "date": "<timestamp>",
+    "content-type": "application/json",
+    "connection": "close",
+    "cache-control": "no-cache, private"
+  },
+  "body": {
+    "data": {
+      "__typename": "Query"
+    }
+  }
+}
+</code></pre>
+</details>
+</li>
+<li><code>58B3</code> SHOULD use 4xx or 5xx status codes on array {extensions} parameter when accepting application/json
+<details>
+<summary>Response status is not between 400 and 599</summary>
+<pre><code class="lang-json">{
+  "statusText": "OK",
+  "status": 200,
+  "headers": {
+    "x-powered-by": "PHP/8.2.19",
+    "host": "localhost:4000",
+    "date": "<timestamp>",
+    "content-type": "application/json",
+    "connection": "close",
+    "cache-control": "no-cache, private"
+  },
+  "body": {
+    "data": {
+      "__typename": "Query"
+    }
+  }
+}
+</code></pre>
+</details>
+</li>
 <li><code>556A</code> SHOULD use 400 status code on document parsing failure when accepting application/graphql-response+json
 <details>
 <summary>Response status code is not 400</summary>
@@ -4222,9 +4406,9 @@ The server <b>MUST</b> support these.
 </code></pre>
 </details>
 </li>
-<li><code>58B0</code> MUST use 400 status code on string {extensions} parameter
+<li><code>0280</code> MUST use 4xx or 5xx status codes on string {extensions} parameter when accepting application/graphql-response+json
 <details>
-<summary>Response status code is not 400</summary>
+<summary>Response status is not between 400 and 599</summary>
 <pre><code class="lang-json">{
   "statusText": "OK",
   "status": 200,
@@ -4245,9 +4429,9 @@ The server <b>MUST</b> support these.
 </code></pre>
 </details>
 </li>
-<li><code>58B1</code> MUST use 400 status code on number {extensions} parameter
+<li><code>0281</code> MUST use 4xx or 5xx status codes on number {extensions} parameter when accepting application/graphql-response+json
 <details>
-<summary>Response status code is not 400</summary>
+<summary>Response status is not between 400 and 599</summary>
 <pre><code class="lang-json">{
   "statusText": "OK",
   "status": 200,
@@ -4268,9 +4452,9 @@ The server <b>MUST</b> support these.
 </code></pre>
 </details>
 </li>
-<li><code>58B2</code> MUST use 400 status code on boolean {extensions} parameter
+<li><code>0282</code> MUST use 4xx or 5xx status codes on boolean {extensions} parameter when accepting application/graphql-response+json
 <details>
-<summary>Response status code is not 400</summary>
+<summary>Response status is not between 400 and 599</summary>
 <pre><code class="lang-json">{
   "statusText": "OK",
   "status": 200,
@@ -4291,9 +4475,9 @@ The server <b>MUST</b> support these.
 </code></pre>
 </details>
 </li>
-<li><code>58B3</code> MUST use 400 status code on array {extensions} parameter
+<li><code>0283</code> MUST use 4xx or 5xx status codes on array {extensions} parameter when accepting application/graphql-response+json
 <details>
-<summary>Response status code is not 400</summary>
+<summary>Response status is not between 400 and 599</summary>
 <pre><code class="lang-json">{
   "statusText": "OK",
   "status": 200,
diff --git a/implementations/lighthouse/report.json b/implementations/lighthouse/report.json
index f74b313c..650ecfcb 100644
--- a/implementations/lighthouse/report.json
+++ b/implementations/lighthouse/report.json
@@ -1,7 +1,7 @@
 {
-  "total": 60,
+  "total": 68,
   "ok": 33,
   "notice": 17,
-  "warn": 3,
+  "warn": 11,
   "error": 7
 }
diff --git a/implementations/mercurius/README.md b/implementations/mercurius/README.md
index 2373a8e6..f348a0df 100644
--- a/implementations/mercurius/README.md
+++ b/implementations/mercurius/README.md
@@ -3,8 +3,8 @@
 <h1>GraphQL over HTTP audit report</h1>
 
 <ul>
-<li><b>60</b> audits in total</li>
-<li><span style="font-family: monospace">✅</span> <b>46</b> pass</li>
+<li><b>68</b> audits in total</li>
+<li><span style="font-family: monospace">✅</span> <b>54</b> pass</li>
 <li><span style="font-family: monospace">💡</span> <b>6</b> notices (suggestions)</li>
 <li><span style="font-family: monospace">❗️</span> <b>5</b> warnings (optional)</li>
 <li><span style="font-family: monospace">❌</span> <b>3</b> errors (required)</li>
@@ -43,10 +43,18 @@
 <li><code>28B9</code> MUST allow map {variables} parameter when accepting application/json</li>
 <li><code>D6D5</code> MAY allow URL-encoded JSON string {variables} parameter in GETs when accepting application/graphql-response+json</li>
 <li><code>6A70</code> MAY allow URL-encoded JSON string {variables} parameter in GETs when accepting application/json</li>
-<li><code>58B0</code> MUST use 400 status code on string {extensions} parameter</li>
-<li><code>58B1</code> MUST use 400 status code on number {extensions} parameter</li>
-<li><code>58B2</code> MUST use 400 status code on boolean {extensions} parameter</li>
-<li><code>58B3</code> MUST use 400 status code on array {extensions} parameter</li>
+<li><code>0280</code> MUST use 4xx or 5xx status codes on string {extensions} parameter when accepting application/graphql-response+json</li>
+<li><code>0281</code> MUST use 4xx or 5xx status codes on number {extensions} parameter when accepting application/graphql-response+json</li>
+<li><code>0282</code> MUST use 4xx or 5xx status codes on boolean {extensions} parameter when accepting application/graphql-response+json</li>
+<li><code>0283</code> MUST use 4xx or 5xx status codes on array {extensions} parameter when accepting application/graphql-response+json</li>
+<li><code>2330</code> SHOULD use 4xx status code on string {extensions} parameter when accepting application/graphql-response+json</li>
+<li><code>2331</code> SHOULD use 4xx status code on number {extensions} parameter when accepting application/graphql-response+json</li>
+<li><code>2332</code> SHOULD use 4xx status code on boolean {extensions} parameter when accepting application/graphql-response+json</li>
+<li><code>2333</code> SHOULD use 4xx status code on array {extensions} parameter when accepting application/graphql-response+json</li>
+<li><code>58B0</code> SHOULD use 4xx or 5xx status codes on string {extensions} parameter when accepting application/json</li>
+<li><code>58B1</code> SHOULD use 4xx or 5xx status codes on number {extensions} parameter when accepting application/json</li>
+<li><code>58B2</code> SHOULD use 4xx or 5xx status codes on boolean {extensions} parameter when accepting application/json</li>
+<li><code>58B3</code> SHOULD use 4xx or 5xx status codes on array {extensions} parameter when accepting application/json</li>
 <li><code>428F</code> MUST allow map {extensions} parameter when accepting application/graphql-response+json</li>
 <li><code>1B7A</code> MUST allow map {extensions} parameter when accepting application/json</li>
 <li><code>B6DC</code> MAY use 4xx or 5xx status codes on JSON parsing failure</li>
diff --git a/implementations/mercurius/report.json b/implementations/mercurius/report.json
index f1686007..6c3bb880 100644
--- a/implementations/mercurius/report.json
+++ b/implementations/mercurius/report.json
@@ -1,6 +1,6 @@
 {
-  "total": 60,
-  "ok": 46,
+  "total": 68,
+  "ok": 54,
   "notice": 6,
   "warn": 5,
   "error": 3
diff --git a/implementations/postgraphile/README.md b/implementations/postgraphile/README.md
index 66ad52c4..6dce9207 100644
--- a/implementations/postgraphile/README.md
+++ b/implementations/postgraphile/README.md
@@ -3,10 +3,10 @@
 <h1>GraphQL over HTTP audit report</h1>
 
 <ul>
-<li><b>60</b> audits in total</li>
+<li><b>68</b> audits in total</li>
 <li><span style="font-family: monospace">✅</span> <b>46</b> pass</li>
 <li><span style="font-family: monospace">💡</span> <b>6</b> notices (suggestions)</li>
-<li><span style="font-family: monospace">❗️</span> <b>3</b> warnings (optional)</li>
+<li><span style="font-family: monospace">❗️</span> <b>11</b> warnings (optional)</li>
 <li><span style="font-family: monospace">❌</span> <b>5</b> errors (required)</li>
 </ul>
 
@@ -213,6 +213,182 @@ The server <i>MAY</i> support these, but are truly optional. These are suggestio
 <h2>Warnings</h2>
 The server <i>SHOULD</i> support these, but is not required.
 <ol>
+<li><code>2330</code> SHOULD use 4xx status code on string {extensions} parameter when accepting application/graphql-response+json
+<details>
+<summary>Response status is not between 400 and 499</summary>
+<pre><code class="lang-json">{
+  "statusText": "OK",
+  "status": 200,
+  "headers": {
+    "keep-alive": "timeout=5",
+    "date": "<timestamp>",
+    "content-type": "application/json; charset=utf-8",
+    "content-length": "31",
+    "connection": "keep-alive"
+  },
+  "body": {
+    "data": {
+      "__typename": "Query"
+    }
+  }
+}
+</code></pre>
+</details>
+</li>
+<li><code>2331</code> SHOULD use 4xx status code on number {extensions} parameter when accepting application/graphql-response+json
+<details>
+<summary>Response status is not between 400 and 499</summary>
+<pre><code class="lang-json">{
+  "statusText": "OK",
+  "status": 200,
+  "headers": {
+    "keep-alive": "timeout=5",
+    "date": "<timestamp>",
+    "content-type": "application/json; charset=utf-8",
+    "content-length": "31",
+    "connection": "keep-alive"
+  },
+  "body": {
+    "data": {
+      "__typename": "Query"
+    }
+  }
+}
+</code></pre>
+</details>
+</li>
+<li><code>2332</code> SHOULD use 4xx status code on boolean {extensions} parameter when accepting application/graphql-response+json
+<details>
+<summary>Response status is not between 400 and 499</summary>
+<pre><code class="lang-json">{
+  "statusText": "OK",
+  "status": 200,
+  "headers": {
+    "keep-alive": "timeout=5",
+    "date": "<timestamp>",
+    "content-type": "application/json; charset=utf-8",
+    "content-length": "31",
+    "connection": "keep-alive"
+  },
+  "body": {
+    "data": {
+      "__typename": "Query"
+    }
+  }
+}
+</code></pre>
+</details>
+</li>
+<li><code>2333</code> SHOULD use 4xx status code on array {extensions} parameter when accepting application/graphql-response+json
+<details>
+<summary>Response status is not between 400 and 499</summary>
+<pre><code class="lang-json">{
+  "statusText": "OK",
+  "status": 200,
+  "headers": {
+    "keep-alive": "timeout=5",
+    "date": "<timestamp>",
+    "content-type": "application/json; charset=utf-8",
+    "content-length": "31",
+    "connection": "keep-alive"
+  },
+  "body": {
+    "data": {
+      "__typename": "Query"
+    }
+  }
+}
+</code></pre>
+</details>
+</li>
+<li><code>58B0</code> SHOULD use 4xx or 5xx status codes on string {extensions} parameter when accepting application/json
+<details>
+<summary>Response status is not between 400 and 599</summary>
+<pre><code class="lang-json">{
+  "statusText": "OK",
+  "status": 200,
+  "headers": {
+    "keep-alive": "timeout=5",
+    "date": "<timestamp>",
+    "content-type": "application/json; charset=utf-8",
+    "content-length": "31",
+    "connection": "keep-alive"
+  },
+  "body": {
+    "data": {
+      "__typename": "Query"
+    }
+  }
+}
+</code></pre>
+</details>
+</li>
+<li><code>58B1</code> SHOULD use 4xx or 5xx status codes on number {extensions} parameter when accepting application/json
+<details>
+<summary>Response status is not between 400 and 599</summary>
+<pre><code class="lang-json">{
+  "statusText": "OK",
+  "status": 200,
+  "headers": {
+    "keep-alive": "timeout=5",
+    "date": "<timestamp>",
+    "content-type": "application/json; charset=utf-8",
+    "content-length": "31",
+    "connection": "keep-alive"
+  },
+  "body": {
+    "data": {
+      "__typename": "Query"
+    }
+  }
+}
+</code></pre>
+</details>
+</li>
+<li><code>58B2</code> SHOULD use 4xx or 5xx status codes on boolean {extensions} parameter when accepting application/json
+<details>
+<summary>Response status is not between 400 and 599</summary>
+<pre><code class="lang-json">{
+  "statusText": "OK",
+  "status": 200,
+  "headers": {
+    "keep-alive": "timeout=5",
+    "date": "<timestamp>",
+    "content-type": "application/json; charset=utf-8",
+    "content-length": "31",
+    "connection": "keep-alive"
+  },
+  "body": {
+    "data": {
+      "__typename": "Query"
+    }
+  }
+}
+</code></pre>
+</details>
+</li>
+<li><code>58B3</code> SHOULD use 4xx or 5xx status codes on array {extensions} parameter when accepting application/json
+<details>
+<summary>Response status is not between 400 and 599</summary>
+<pre><code class="lang-json">{
+  "statusText": "OK",
+  "status": 200,
+  "headers": {
+    "keep-alive": "timeout=5",
+    "date": "<timestamp>",
+    "content-type": "application/json; charset=utf-8",
+    "content-length": "31",
+    "connection": "keep-alive"
+  },
+  "body": {
+    "data": {
+      "__typename": "Query"
+    }
+  }
+}
+</code></pre>
+</details>
+</li>
 <li><code>572B</code> SHOULD use 200 status code on document parsing failure when accepting application/json
 <details>
 <summary>Response status code is not 200</summary>
@@ -330,9 +506,9 @@ The server <b>MUST</b> support these.
 </code></pre>
 </details>
 </li>
-<li><code>58B0</code> MUST use 400 status code on string {extensions} parameter
+<li><code>0280</code> MUST use 4xx or 5xx status codes on string {extensions} parameter when accepting application/graphql-response+json
 <details>
-<summary>Response status code is not 400</summary>
+<summary>Response status is not between 400 and 599</summary>
 <pre><code class="lang-json">{
   "statusText": "OK",
   "status": 200,
@@ -352,9 +528,9 @@ The server <b>MUST</b> support these.
 </code></pre>
 </details>
 </li>
-<li><code>58B1</code> MUST use 400 status code on number {extensions} parameter
+<li><code>0281</code> MUST use 4xx or 5xx status codes on number {extensions} parameter when accepting application/graphql-response+json
 <details>
-<summary>Response status code is not 400</summary>
+<summary>Response status is not between 400 and 599</summary>
 <pre><code class="lang-json">{
   "statusText": "OK",
   "status": 200,
@@ -374,9 +550,9 @@ The server <b>MUST</b> support these.
 </code></pre>
 </details>
 </li>
-<li><code>58B2</code> MUST use 400 status code on boolean {extensions} parameter
+<li><code>0282</code> MUST use 4xx or 5xx status codes on boolean {extensions} parameter when accepting application/graphql-response+json
 <details>
-<summary>Response status code is not 400</summary>
+<summary>Response status is not between 400 and 599</summary>
 <pre><code class="lang-json">{
   "statusText": "OK",
   "status": 200,
@@ -396,9 +572,9 @@ The server <b>MUST</b> support these.
 </code></pre>
 </details>
 </li>
-<li><code>58B3</code> MUST use 400 status code on array {extensions} parameter
+<li><code>0283</code> MUST use 4xx or 5xx status codes on array {extensions} parameter when accepting application/graphql-response+json
 <details>
-<summary>Response status code is not 400</summary>
+<summary>Response status is not between 400 and 599</summary>
 <pre><code class="lang-json">{
   "statusText": "OK",
   "status": 200,
diff --git a/implementations/postgraphile/report.json b/implementations/postgraphile/report.json
index f325f96c..25383d18 100644
--- a/implementations/postgraphile/report.json
+++ b/implementations/postgraphile/report.json
@@ -1,7 +1,7 @@
 {
-  "total": 60,
+  "total": 68,
   "ok": 46,
   "notice": 6,
-  "warn": 3,
+  "warn": 11,
   "error": 5
 }
diff --git a/implementations/thegraph/README.md b/implementations/thegraph/README.md
index d321ef68..9cf16268 100644
--- a/implementations/thegraph/README.md
+++ b/implementations/thegraph/README.md
@@ -3,10 +3,10 @@
 <h1>GraphQL over HTTP audit report</h1>
 
 <ul>
-<li><b>60</b> audits in total</li>
+<li><b>68</b> audits in total</li>
 <li><span style="font-family: monospace">✅</span> <b>19</b> pass</li>
 <li><span style="font-family: monospace">💡</span> <b>21</b> notices (suggestions)</li>
-<li><span style="font-family: monospace">❗️</span> <b>3</b> warnings (optional)</li>
+<li><span style="font-family: monospace">❗️</span> <b>11</b> warnings (optional)</li>
 <li><span style="font-family: monospace">❌</span> <b>17</b> errors (required)</li>
 </ul>
 
@@ -755,6 +755,278 @@ The server <i>MAY</i> support these, but are truly optional. These are suggestio
 <h2>Warnings</h2>
 The server <i>SHOULD</i> support these, but is not required.
 <ol>
+<li><code>2330</code> SHOULD use 4xx status code on string {extensions} parameter when accepting application/graphql-response+json
+<details>
+<summary>Response status is not between 400 and 499</summary>
+<pre><code class="lang-json">{
+  "statusText": "OK",
+  "status": 200,
+  "headers": {
+    "vary": "Accept-Encoding",
+    "transfer-encoding": "chunked",
+    "set-cookie": "<omitted>",
+    "server": "cloudflare",
+    "last-modified": "Mon, 02 Dec 2024 20:56:39 GMT",
+    "expires": "<timestamp>",
+    "etag": "W/\"cffa996b9fb9470d034909269c4d8d0f\"",
+    "date": "<timestamp>",
+    "content-type": "application/json",
+    "content-encoding": "br",
+    "connection": "keep-alive",
+    "cf-ray": "<omitted>",
+    "cf-cache-status": "HIT",
+    "cache-control": "public, max-age=3600",
+    "age": "<omitted>"
+  },
+  "body": {
+    "errors": [
+      {
+        "message": "This endpoint has been removed. If you have any questions, reach out to support@thegraph.zendesk.com"
+      }
+    ]
+  }
+}
+</code></pre>
+</details>
+</li>
+<li><code>2331</code> SHOULD use 4xx status code on number {extensions} parameter when accepting application/graphql-response+json
+<details>
+<summary>Response status is not between 400 and 499</summary>
+<pre><code class="lang-json">{
+  "statusText": "OK",
+  "status": 200,
+  "headers": {
+    "vary": "Accept-Encoding",
+    "transfer-encoding": "chunked",
+    "set-cookie": "<omitted>",
+    "server": "cloudflare",
+    "last-modified": "Mon, 02 Dec 2024 20:56:39 GMT",
+    "expires": "<timestamp>",
+    "etag": "W/\"cffa996b9fb9470d034909269c4d8d0f\"",
+    "date": "<timestamp>",
+    "content-type": "application/json",
+    "content-encoding": "br",
+    "connection": "keep-alive",
+    "cf-ray": "<omitted>",
+    "cf-cache-status": "HIT",
+    "cache-control": "public, max-age=3600",
+    "age": "<omitted>"
+  },
+  "body": {
+    "errors": [
+      {
+        "message": "This endpoint has been removed. If you have any questions, reach out to support@thegraph.zendesk.com"
+      }
+    ]
+  }
+}
+</code></pre>
+</details>
+</li>
+<li><code>2332</code> SHOULD use 4xx status code on boolean {extensions} parameter when accepting application/graphql-response+json
+<details>
+<summary>Response status is not between 400 and 499</summary>
+<pre><code class="lang-json">{
+  "statusText": "OK",
+  "status": 200,
+  "headers": {
+    "vary": "Accept-Encoding",
+    "transfer-encoding": "chunked",
+    "set-cookie": "<omitted>",
+    "server": "cloudflare",
+    "last-modified": "Mon, 02 Dec 2024 20:56:39 GMT",
+    "expires": "<timestamp>",
+    "etag": "W/\"cffa996b9fb9470d034909269c4d8d0f\"",
+    "date": "<timestamp>",
+    "content-type": "application/json",
+    "content-encoding": "br",
+    "connection": "keep-alive",
+    "cf-ray": "<omitted>",
+    "cf-cache-status": "HIT",
+    "cache-control": "public, max-age=3600",
+    "age": "<omitted>"
+  },
+  "body": {
+    "errors": [
+      {
+        "message": "This endpoint has been removed. If you have any questions, reach out to support@thegraph.zendesk.com"
+      }
+    ]
+  }
+}
+</code></pre>
+</details>
+</li>
+<li><code>2333</code> SHOULD use 4xx status code on array {extensions} parameter when accepting application/graphql-response+json
+<details>
+<summary>Response status is not between 400 and 499</summary>
+<pre><code class="lang-json">{
+  "statusText": "OK",
+  "status": 200,
+  "headers": {
+    "vary": "Accept-Encoding",
+    "transfer-encoding": "chunked",
+    "set-cookie": "<omitted>",
+    "server": "cloudflare",
+    "last-modified": "Mon, 02 Dec 2024 20:56:39 GMT",
+    "expires": "<timestamp>",
+    "etag": "W/\"cffa996b9fb9470d034909269c4d8d0f\"",
+    "date": "<timestamp>",
+    "content-type": "application/json",
+    "content-encoding": "br",
+    "connection": "keep-alive",
+    "cf-ray": "<omitted>",
+    "cf-cache-status": "HIT",
+    "cache-control": "public, max-age=3600",
+    "age": "<omitted>"
+  },
+  "body": {
+    "errors": [
+      {
+        "message": "This endpoint has been removed. If you have any questions, reach out to support@thegraph.zendesk.com"
+      }
+    ]
+  }
+}
+</code></pre>
+</details>
+</li>
+<li><code>58B0</code> SHOULD use 4xx or 5xx status codes on string {extensions} parameter when accepting application/json
+<details>
+<summary>Response status is not between 400 and 599</summary>
+<pre><code class="lang-json">{
+  "statusText": "OK",
+  "status": 200,
+  "headers": {
+    "vary": "Accept-Encoding",
+    "transfer-encoding": "chunked",
+    "set-cookie": "<omitted>",
+    "server": "cloudflare",
+    "last-modified": "Mon, 02 Dec 2024 20:56:39 GMT",
+    "expires": "<timestamp>",
+    "etag": "W/\"cffa996b9fb9470d034909269c4d8d0f\"",
+    "date": "<timestamp>",
+    "content-type": "application/json",
+    "content-encoding": "br",
+    "connection": "keep-alive",
+    "cf-ray": "<omitted>",
+    "cf-cache-status": "HIT",
+    "cache-control": "public, max-age=3600",
+    "age": "<omitted>"
+  },
+  "body": {
+    "errors": [
+      {
+        "message": "This endpoint has been removed. If you have any questions, reach out to support@thegraph.zendesk.com"
+      }
+    ]
+  }
+}
+</code></pre>
+</details>
+</li>
+<li><code>58B1</code> SHOULD use 4xx or 5xx status codes on number {extensions} parameter when accepting application/json
+<details>
+<summary>Response status is not between 400 and 599</summary>
+<pre><code class="lang-json">{
+  "statusText": "OK",
+  "status": 200,
+  "headers": {
+    "vary": "Accept-Encoding",
+    "transfer-encoding": "chunked",
+    "set-cookie": "<omitted>",
+    "server": "cloudflare",
+    "last-modified": "Mon, 02 Dec 2024 20:56:39 GMT",
+    "expires": "<timestamp>",
+    "etag": "W/\"cffa996b9fb9470d034909269c4d8d0f\"",
+    "date": "<timestamp>",
+    "content-type": "application/json",
+    "content-encoding": "br",
+    "connection": "keep-alive",
+    "cf-ray": "<omitted>",
+    "cf-cache-status": "HIT",
+    "cache-control": "public, max-age=3600",
+    "age": "<omitted>"
+  },
+  "body": {
+    "errors": [
+      {
+        "message": "This endpoint has been removed. If you have any questions, reach out to support@thegraph.zendesk.com"
+      }
+    ]
+  }
+}
+</code></pre>
+</details>
+</li>
+<li><code>58B2</code> SHOULD use 4xx or 5xx status codes on boolean {extensions} parameter when accepting application/json
+<details>
+<summary>Response status is not between 400 and 599</summary>
+<pre><code class="lang-json">{
+  "statusText": "OK",
+  "status": 200,
+  "headers": {
+    "vary": "Accept-Encoding",
+    "transfer-encoding": "chunked",
+    "set-cookie": "<omitted>",
+    "server": "cloudflare",
+    "last-modified": "Mon, 02 Dec 2024 20:56:39 GMT",
+    "expires": "<timestamp>",
+    "etag": "W/\"cffa996b9fb9470d034909269c4d8d0f\"",
+    "date": "<timestamp>",
+    "content-type": "application/json",
+    "content-encoding": "br",
+    "connection": "keep-alive",
+    "cf-ray": "<omitted>",
+    "cf-cache-status": "HIT",
+    "cache-control": "public, max-age=3600",
+    "age": "<omitted>"
+  },
+  "body": {
+    "errors": [
+      {
+        "message": "This endpoint has been removed. If you have any questions, reach out to support@thegraph.zendesk.com"
+      }
+    ]
+  }
+}
+</code></pre>
+</details>
+</li>
+<li><code>58B3</code> SHOULD use 4xx or 5xx status codes on array {extensions} parameter when accepting application/json
+<details>
+<summary>Response status is not between 400 and 599</summary>
+<pre><code class="lang-json">{
+  "statusText": "OK",
+  "status": 200,
+  "headers": {
+    "vary": "Accept-Encoding",
+    "transfer-encoding": "chunked",
+    "set-cookie": "<omitted>",
+    "server": "cloudflare",
+    "last-modified": "Mon, 02 Dec 2024 20:56:39 GMT",
+    "expires": "<timestamp>",
+    "etag": "W/\"cffa996b9fb9470d034909269c4d8d0f\"",
+    "date": "<timestamp>",
+    "content-type": "application/json",
+    "content-encoding": "br",
+    "connection": "keep-alive",
+    "cf-ray": "<omitted>",
+    "cf-cache-status": "HIT",
+    "cache-control": "public, max-age=3600",
+    "age": "<omitted>"
+  },
+  "body": {
+    "errors": [
+      {
+        "message": "This endpoint has been removed. If you have any questions, reach out to support@thegraph.zendesk.com"
+      }
+    ]
+  }
+}
+</code></pre>
+</details>
+</li>
 <li><code>556A</code> SHOULD use 400 status code on document parsing failure when accepting application/graphql-response+json
 <details>
 <summary>Response status code is not 400</summary>
@@ -1202,9 +1474,9 @@ The server <b>MUST</b> support these.
 </code></pre>
 </details>
 </li>
-<li><code>58B0</code> MUST use 400 status code on string {extensions} parameter
+<li><code>0280</code> MUST use 4xx or 5xx status codes on string {extensions} parameter when accepting application/graphql-response+json
 <details>
-<summary>Response status code is not 400</summary>
+<summary>Response status is not between 400 and 599</summary>
 <pre><code class="lang-json">{
   "statusText": "OK",
   "status": 200,
@@ -1236,9 +1508,9 @@ The server <b>MUST</b> support these.
 </code></pre>
 </details>
 </li>
-<li><code>58B1</code> MUST use 400 status code on number {extensions} parameter
+<li><code>0281</code> MUST use 4xx or 5xx status codes on number {extensions} parameter when accepting application/graphql-response+json
 <details>
-<summary>Response status code is not 400</summary>
+<summary>Response status is not between 400 and 599</summary>
 <pre><code class="lang-json">{
   "statusText": "OK",
   "status": 200,
@@ -1270,9 +1542,9 @@ The server <b>MUST</b> support these.
 </code></pre>
 </details>
 </li>
-<li><code>58B2</code> MUST use 400 status code on boolean {extensions} parameter
+<li><code>0282</code> MUST use 4xx or 5xx status codes on boolean {extensions} parameter when accepting application/graphql-response+json
 <details>
-<summary>Response status code is not 400</summary>
+<summary>Response status is not between 400 and 599</summary>
 <pre><code class="lang-json">{
   "statusText": "OK",
   "status": 200,
@@ -1304,9 +1576,9 @@ The server <b>MUST</b> support these.
 </code></pre>
 </details>
 </li>
-<li><code>58B3</code> MUST use 400 status code on array {extensions} parameter
+<li><code>0283</code> MUST use 4xx or 5xx status codes on array {extensions} parameter when accepting application/graphql-response+json
 <details>
-<summary>Response status code is not 400</summary>
+<summary>Response status is not between 400 and 599</summary>
 <pre><code class="lang-json">{
   "statusText": "OK",
   "status": 200,
diff --git a/implementations/thegraph/report.json b/implementations/thegraph/report.json
index 13fd278b..553c5b64 100644
--- a/implementations/thegraph/report.json
+++ b/implementations/thegraph/report.json
@@ -1,7 +1,7 @@
 {
-  "total": 60,
+  "total": 68,
   "ok": 19,
   "notice": 21,
-  "warn": 3,
+  "warn": 11,
   "error": 17
 }

From 2bcb175d4ff087fe0a43aaf216114a080e002971 Mon Sep 17 00:00:00 2001
From: Denis Badurina <denis@denelop.com>
Date: Thu, 23 Jan 2025 17:31:07 +0100
Subject: [PATCH 5/6] one or the other works

---
 src/audits/server.ts | 20 ++++++++++++++++----
 1 file changed, 16 insertions(+), 4 deletions(-)

diff --git a/src/audits/server.ts b/src/audits/server.ts
index 739a059e..77551396 100644
--- a/src/audits/server.ts
+++ b/src/audits/server.ts
@@ -75,7 +75,7 @@ export function serverAudits(opts: ServerAuditOptions): Audit[] {
     ),
     audit(
       '47DE',
-      'SHOULD accept */* and use application/json for the content-type',
+      'SHOULD accept */* and use application/graphql-response+json or application/json for the content-type',
       async () => {
         const res = await fetchFn(await getUrl(opts.url), {
           method: 'POST',
@@ -86,12 +86,18 @@ export function serverAudits(opts: ServerAuditOptions): Audit[] {
           body: JSON.stringify({ query: '{ __typename }' }),
         });
         ressert(res).status.toBe(200);
-        ressert(res).header('content-type').toContain('application/json');
+        try {
+          ressert(res)
+            .header('content-type')
+            .toContain('application/graphql-response+json');
+        } catch {
+          ressert(res).header('content-type').toContain('application/json');
+        }
       },
     ),
     audit(
       '80D8',
-      'SHOULD assume application/json content-type when accept is missing',
+      'SHOULD assume application/json or application/graphql-response+json content-type when accept is missing',
       async () => {
         const res = await fetchFn(await getUrl(opts.url), {
           method: 'POST',
@@ -102,7 +108,13 @@ export function serverAudits(opts: ServerAuditOptions): Audit[] {
         });
 
         ressert(res).status.toBe(200);
-        ressert(res).header('content-type').toContain('application/json');
+        try {
+          ressert(res)
+            .header('content-type')
+            .toContain('application/graphql-response+json');
+        } catch {
+          ressert(res).header('content-type').toContain('application/json');
+        }
       },
     ),
     audit('82A3', 'MUST use utf-8 encoding when responding', async () => {

From 6aa2a57017128cb635a911fb8f547a60f1caa808 Mon Sep 17 00:00:00 2001
From: theguild-bot <bot@the-guild.dev>
Date: Thu, 23 Jan 2025 16:33:28 +0000
Subject: [PATCH 6/6] docs(implementations): audit report

---
 implementations/apollo-server/README.md   |  4 +-
 implementations/deno/README.md            |  4 +-
 implementations/express-graphql/README.md |  4 +-
 implementations/graph-client/README.md    |  4 +-
 implementations/graphql-helix/README.md   |  4 +-
 implementations/graphql-yoga/README.md    |  4 +-
 implementations/hotchocolate/README.md    | 48 ++---------------------
 implementations/hotchocolate/report.json  |  4 +-
 implementations/lighthouse/README.md      |  4 +-
 implementations/mercurius/README.md       |  4 +-
 implementations/postgraphile/README.md    |  4 +-
 implementations/thegraph/README.md        |  4 +-
 12 files changed, 26 insertions(+), 66 deletions(-)

diff --git a/implementations/apollo-server/README.md b/implementations/apollo-server/README.md
index 5ac5e89d..902516cc 100644
--- a/implementations/apollo-server/README.md
+++ b/implementations/apollo-server/README.md
@@ -13,8 +13,8 @@
 <ol>
 <li><code>22EB</code> MUST accept application/graphql-response+json and match the content-type</li>
 <li><code>4655</code> MUST accept application/json and match the content-type</li>
-<li><code>47DE</code> SHOULD accept */* and use application/json for the content-type</li>
-<li><code>80D8</code> SHOULD assume application/json content-type when accept is missing</li>
+<li><code>47DE</code> SHOULD accept */* and use application/graphql-response+json or application/json for the content-type</li>
+<li><code>80D8</code> SHOULD assume application/json or application/graphql-response+json content-type when accept is missing</li>
 <li><code>82A3</code> MUST use utf-8 encoding when responding</li>
 <li><code>BF61</code> MUST accept utf-8 encoded request</li>
 <li><code>78D5</code> MUST assume utf-8 in request if encoding is unspecified</li>
diff --git a/implementations/deno/README.md b/implementations/deno/README.md
index a8cd49c1..7d457a37 100644
--- a/implementations/deno/README.md
+++ b/implementations/deno/README.md
@@ -13,8 +13,8 @@
 <h2>Passing</h2>
 <ol>
 <li><code>4655</code> MUST accept application/json and match the content-type</li>
-<li><code>47DE</code> SHOULD accept */* and use application/json for the content-type</li>
-<li><code>80D8</code> SHOULD assume application/json content-type when accept is missing</li>
+<li><code>47DE</code> SHOULD accept */* and use application/graphql-response+json or application/json for the content-type</li>
+<li><code>80D8</code> SHOULD assume application/json or application/graphql-response+json content-type when accept is missing</li>
 <li><code>82A3</code> MUST use utf-8 encoding when responding</li>
 <li><code>BF61</code> MUST accept utf-8 encoded request</li>
 <li><code>78D5</code> MUST assume utf-8 in request if encoding is unspecified</li>
diff --git a/implementations/express-graphql/README.md b/implementations/express-graphql/README.md
index 7cc3be99..317b1962 100644
--- a/implementations/express-graphql/README.md
+++ b/implementations/express-graphql/README.md
@@ -13,8 +13,8 @@
 <h2>Passing</h2>
 <ol>
 <li><code>4655</code> MUST accept application/json and match the content-type</li>
-<li><code>47DE</code> SHOULD accept */* and use application/json for the content-type</li>
-<li><code>80D8</code> SHOULD assume application/json content-type when accept is missing</li>
+<li><code>47DE</code> SHOULD accept */* and use application/graphql-response+json or application/json for the content-type</li>
+<li><code>80D8</code> SHOULD assume application/json or application/graphql-response+json content-type when accept is missing</li>
 <li><code>82A3</code> MUST use utf-8 encoding when responding</li>
 <li><code>BF61</code> MUST accept utf-8 encoded request</li>
 <li><code>78D5</code> MUST assume utf-8 in request if encoding is unspecified</li>
diff --git a/implementations/graph-client/README.md b/implementations/graph-client/README.md
index 531a36cc..dfd5357a 100644
--- a/implementations/graph-client/README.md
+++ b/implementations/graph-client/README.md
@@ -12,8 +12,8 @@
 <ol>
 <li><code>22EB</code> MUST accept application/graphql-response+json and match the content-type</li>
 <li><code>4655</code> MUST accept application/json and match the content-type</li>
-<li><code>47DE</code> SHOULD accept */* and use application/json for the content-type</li>
-<li><code>80D8</code> SHOULD assume application/json content-type when accept is missing</li>
+<li><code>47DE</code> SHOULD accept */* and use application/graphql-response+json or application/json for the content-type</li>
+<li><code>80D8</code> SHOULD assume application/json or application/graphql-response+json content-type when accept is missing</li>
 <li><code>82A3</code> MUST use utf-8 encoding when responding</li>
 <li><code>BF61</code> MUST accept utf-8 encoded request</li>
 <li><code>78D5</code> MUST assume utf-8 in request if encoding is unspecified</li>
diff --git a/implementations/graphql-helix/README.md b/implementations/graphql-helix/README.md
index c3366b42..716b5420 100644
--- a/implementations/graphql-helix/README.md
+++ b/implementations/graphql-helix/README.md
@@ -13,8 +13,8 @@
 <h2>Passing</h2>
 <ol>
 <li><code>4655</code> MUST accept application/json and match the content-type</li>
-<li><code>47DE</code> SHOULD accept */* and use application/json for the content-type</li>
-<li><code>80D8</code> SHOULD assume application/json content-type when accept is missing</li>
+<li><code>47DE</code> SHOULD accept */* and use application/graphql-response+json or application/json for the content-type</li>
+<li><code>80D8</code> SHOULD assume application/json or application/graphql-response+json content-type when accept is missing</li>
 <li><code>82A3</code> MUST use utf-8 encoding when responding</li>
 <li><code>BF61</code> MUST accept utf-8 encoded request</li>
 <li><code>78D5</code> MUST assume utf-8 in request if encoding is unspecified</li>
diff --git a/implementations/graphql-yoga/README.md b/implementations/graphql-yoga/README.md
index 21cf804b..3053b1fd 100644
--- a/implementations/graphql-yoga/README.md
+++ b/implementations/graphql-yoga/README.md
@@ -11,8 +11,8 @@
 <ol>
 <li><code>22EB</code> MUST accept application/graphql-response+json and match the content-type</li>
 <li><code>4655</code> MUST accept application/json and match the content-type</li>
-<li><code>47DE</code> SHOULD accept */* and use application/json for the content-type</li>
-<li><code>80D8</code> SHOULD assume application/json content-type when accept is missing</li>
+<li><code>47DE</code> SHOULD accept */* and use application/graphql-response+json or application/json for the content-type</li>
+<li><code>80D8</code> SHOULD assume application/json or application/graphql-response+json content-type when accept is missing</li>
 <li><code>82A3</code> MUST use utf-8 encoding when responding</li>
 <li><code>BF61</code> MUST accept utf-8 encoded request</li>
 <li><code>78D5</code> MUST assume utf-8 in request if encoding is unspecified</li>
diff --git a/implementations/hotchocolate/README.md b/implementations/hotchocolate/README.md
index 6a1205c1..cafaf0bd 100644
--- a/implementations/hotchocolate/README.md
+++ b/implementations/hotchocolate/README.md
@@ -4,14 +4,16 @@
 
 <ul>
 <li><b>68</b> audits in total</li>
-<li><span style="font-family: monospace">✅</span> <b>62</b> pass</li>
-<li><span style="font-family: monospace">❗️</span> <b>6</b> warnings (optional)</li>
+<li><span style="font-family: monospace">✅</span> <b>64</b> pass</li>
+<li><span style="font-family: monospace">❗️</span> <b>4</b> warnings (optional)</li>
 </ul>
 
 <h2>Passing</h2>
 <ol>
 <li><code>22EB</code> MUST accept application/graphql-response+json and match the content-type</li>
 <li><code>4655</code> MUST accept application/json and match the content-type</li>
+<li><code>47DE</code> SHOULD accept */* and use application/graphql-response+json or application/json for the content-type</li>
+<li><code>80D8</code> SHOULD assume application/json or application/graphql-response+json content-type when accept is missing</li>
 <li><code>82A3</code> MUST use utf-8 encoding when responding</li>
 <li><code>BF61</code> MUST accept utf-8 encoded request</li>
 <li><code>78D5</code> MUST assume utf-8 in request if encoding is unspecified</li>
@@ -77,48 +79,6 @@
 <h2>Warnings</h2>
 The server <i>SHOULD</i> support these, but is not required.
 <ol>
-<li><code>47DE</code> SHOULD accept */* and use application/json for the content-type
-<details>
-<summary>Response header content-type does not contain application/json</summary>
-<pre><code class="lang-json">{
-  "statusText": "OK",
-  "status": 200,
-  "headers": {
-    "transfer-encoding": "chunked",
-    "server": "Kestrel",
-    "date": "<timestamp>",
-    "content-type": "application/graphql-response+json; charset=utf-8"
-  },
-  "body": {
-    "data": {
-      "__typename": "Query"
-    }
-  }
-}
-</code></pre>
-</details>
-</li>
-<li><code>80D8</code> SHOULD assume application/json content-type when accept is missing
-<details>
-<summary>Response header content-type does not contain application/json</summary>
-<pre><code class="lang-json">{
-  "statusText": "OK",
-  "status": 200,
-  "headers": {
-    "transfer-encoding": "chunked",
-    "server": "Kestrel",
-    "date": "<timestamp>",
-    "content-type": "application/graphql-response+json; charset=utf-8"
-  },
-  "body": {
-    "data": {
-      "__typename": "Query"
-    }
-  }
-}
-</code></pre>
-</details>
-</li>
 <li><code>58B0</code> SHOULD use 4xx or 5xx status codes on string {extensions} parameter when accepting application/json
 <details>
 <summary>Response status is not between 400 and 599</summary>
diff --git a/implementations/hotchocolate/report.json b/implementations/hotchocolate/report.json
index 05a4235b..fd5d4049 100644
--- a/implementations/hotchocolate/report.json
+++ b/implementations/hotchocolate/report.json
@@ -1,7 +1,7 @@
 {
   "total": 68,
-  "ok": 62,
+  "ok": 64,
   "notice": 0,
-  "warn": 6,
+  "warn": 4,
   "error": 0
 }
diff --git a/implementations/lighthouse/README.md b/implementations/lighthouse/README.md
index 0e8f3536..07b1f953 100644
--- a/implementations/lighthouse/README.md
+++ b/implementations/lighthouse/README.md
@@ -13,8 +13,8 @@
 <h2>Passing</h2>
 <ol>
 <li><code>4655</code> MUST accept application/json and match the content-type</li>
-<li><code>47DE</code> SHOULD accept */* and use application/json for the content-type</li>
-<li><code>80D8</code> SHOULD assume application/json content-type when accept is missing</li>
+<li><code>47DE</code> SHOULD accept */* and use application/graphql-response+json or application/json for the content-type</li>
+<li><code>80D8</code> SHOULD assume application/json or application/graphql-response+json content-type when accept is missing</li>
 <li><code>82A3</code> MUST use utf-8 encoding when responding</li>
 <li><code>BF61</code> MUST accept utf-8 encoded request</li>
 <li><code>78D5</code> MUST assume utf-8 in request if encoding is unspecified</li>
diff --git a/implementations/mercurius/README.md b/implementations/mercurius/README.md
index f348a0df..1064fe2d 100644
--- a/implementations/mercurius/README.md
+++ b/implementations/mercurius/README.md
@@ -13,8 +13,8 @@
 <h2>Passing</h2>
 <ol>
 <li><code>4655</code> MUST accept application/json and match the content-type</li>
-<li><code>47DE</code> SHOULD accept */* and use application/json for the content-type</li>
-<li><code>80D8</code> SHOULD assume application/json content-type when accept is missing</li>
+<li><code>47DE</code> SHOULD accept */* and use application/graphql-response+json or application/json for the content-type</li>
+<li><code>80D8</code> SHOULD assume application/json or application/graphql-response+json content-type when accept is missing</li>
 <li><code>82A3</code> MUST use utf-8 encoding when responding</li>
 <li><code>BF61</code> MUST accept utf-8 encoded request</li>
 <li><code>78D5</code> MUST assume utf-8 in request if encoding is unspecified</li>
diff --git a/implementations/postgraphile/README.md b/implementations/postgraphile/README.md
index 6dce9207..ec521761 100644
--- a/implementations/postgraphile/README.md
+++ b/implementations/postgraphile/README.md
@@ -13,8 +13,8 @@
 <h2>Passing</h2>
 <ol>
 <li><code>4655</code> MUST accept application/json and match the content-type</li>
-<li><code>47DE</code> SHOULD accept */* and use application/json for the content-type</li>
-<li><code>80D8</code> SHOULD assume application/json content-type when accept is missing</li>
+<li><code>47DE</code> SHOULD accept */* and use application/graphql-response+json or application/json for the content-type</li>
+<li><code>80D8</code> SHOULD assume application/json or application/graphql-response+json content-type when accept is missing</li>
 <li><code>82A3</code> MUST use utf-8 encoding when responding</li>
 <li><code>BF61</code> MUST accept utf-8 encoded request</li>
 <li><code>78D5</code> MUST assume utf-8 in request if encoding is unspecified</li>
diff --git a/implementations/thegraph/README.md b/implementations/thegraph/README.md
index 9cf16268..eb2a547f 100644
--- a/implementations/thegraph/README.md
+++ b/implementations/thegraph/README.md
@@ -13,8 +13,8 @@
 <h2>Passing</h2>
 <ol>
 <li><code>4655</code> MUST accept application/json and match the content-type</li>
-<li><code>47DE</code> SHOULD accept */* and use application/json for the content-type</li>
-<li><code>80D8</code> SHOULD assume application/json content-type when accept is missing</li>
+<li><code>47DE</code> SHOULD accept */* and use application/graphql-response+json or application/json for the content-type</li>
+<li><code>80D8</code> SHOULD assume application/json or application/graphql-response+json content-type when accept is missing</li>
 <li><code>82A3</code> MUST use utf-8 encoding when responding</li>
 <li><code>BF61</code> MUST accept utf-8 encoded request</li>
 <li><code>78D5</code> MUST assume utf-8 in request if encoding is unspecified</li>