From f6156a42462f549086a1ef9bdf47f003a3312638 Mon Sep 17 00:00:00 2001
From: Copilot <198982749+Copilot@users.noreply.github.com>
Date: Wed, 25 Mar 2026 11:40:54 -0700
Subject: [PATCH] =?UTF-8?q?Document=20Newtonsoft.Json=2010.0.2=20=E2=86=92?=
 =?UTF-8?q?=2013.0.1=20breaking=20change=20for=20Cosmos=20provider=20in=20?=
 =?UTF-8?q?EF=20Core=209.0=20(#5303)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Fixes #4804

Co-authored-by: AndriySvyryd <6539701+AndriySvyryd@users.noreply.github.com>
---
 .../ef-core-9.0/breaking-changes.md           | 21 +++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/entity-framework/core/what-is-new/ef-core-9.0/breaking-changes.md b/entity-framework/core/what-is-new/ef-core-9.0/breaking-changes.md
index 862f0f5397..ecd7089fe9 100644
--- a/entity-framework/core/what-is-new/ef-core-9.0/breaking-changes.md
+++ b/entity-framework/core/what-is-new/ef-core-9.0/breaking-changes.md
@@ -348,6 +348,7 @@ Extensive work has gone into making the Azure Cosmos DB provider better in 9.0.
 | [Incorrectly translated queries are no longer translated](#cosmos-incorrect-translations)                                                            | Medium     |
 | [`HasIndex` now throws instead of being ignored](#cosmos-hasindex-throws)                                                                            | Low        |
 | [`IncludeRootDiscriminatorInJsonId` was renamed to `HasRootDiscriminatorInJsonId` after 9.0.0-rc.2](#cosmos-IncludeRootDiscriminatorInJsonId-rename) | Low        |
+| [The referenced Newtonsoft.Json version was updated from 10.0.2 to 13.0.1](#cosmos-newtonsoft-json-version)                                         | Low        |
 
 ### High-impact changes
 
@@ -688,3 +689,23 @@ Another related API was renamed to start with `Has` instead of `Include`, and so
 ##### Mitigations
 
 If your code is using the `IncludeRootDiscriminatorInJsonId` API, simply change it to reference `HasRootDiscriminatorInJsonId` instead.
+
+<a name="cosmos-newtonsoft-json-version"></a>
+
+#### The referenced Newtonsoft.Json version was updated from 10.0.2 to 13.0.1
+
+##### Old behavior
+
+The Cosmos provider referenced Newtonsoft.Json version 10.0.2.
+
+##### New behavior
+
+Starting with EF Core 9.0, the Cosmos provider references Newtonsoft.Json version 13.0.1.
+
+##### Why
+
+The previously referenced version of Newtonsoft.Json has known vulnerabilities. The version was updated to avoid depending on a package version with known security issues.
+
+##### Mitigations
+
+The upgrade to Newtonsoft.Json 13.0.1 should not cause issues in most cases. If your application uses Newtonsoft.Json directly and relies on a specific older version, you can update your application to be compatible with Newtonsoft.Json 13.0.1 or later. See the [Newtonsoft.Json release notes](https://github.com/JamesNK/Newtonsoft.Json/releases) for details on changes between versions.