From f3e6b15fbf3629701e4153b8e23c68845c1f61bc Mon Sep 17 00:00:00 2001
From: "github-actions[bot]"
 <41898282+github-actions[bot]@users.noreply.github.com>
Date: Fri, 17 Apr 2026 01:23:58 +0000
Subject: [PATCH] [ci] release

---
 .changeset/blue-dragons-see.md      | 14 --------------
 .changeset/frank-memes-knock.md     | 13 -------------
 package-lock.json                   |  6 +++---
 packages/runtime-class/CHANGELOG.md | 26 ++++++++++++++++++++++++++
 packages/runtime-class/package.json |  4 ++--
 packages/runtime-tags/CHANGELOG.md  | 23 +++++++++++++++++++++++
 packages/runtime-tags/package.json  |  2 +-
 7 files changed, 55 insertions(+), 33 deletions(-)
 delete mode 100644 .changeset/blue-dragons-see.md
 delete mode 100644 .changeset/frank-memes-knock.md

diff --git a/.changeset/blue-dragons-see.md b/.changeset/blue-dragons-see.md
deleted file mode 100644
index fb412ce4ed..0000000000
--- a/.changeset/blue-dragons-see.md
+++ /dev/null
@@ -1,14 +0,0 @@
----
-"marko": patch
-"@marko/runtime-tags": patch
----
-
-Fix escaping issue for dynamic text interpolation inside `<script>`, `<style>`, `<html-script>` and `<html-style>` tags.
-
-The issue was that the escaping logic for those tags used a CASE SENSITIVE search for the closing tag which could be bypassed like so:
-
-```marko
-<script>${"</SCRIPT><img src=x onerror=alert('uh oh')>"}</script>
-```
-
-Note that `script` and `style` there should _never_ render unsanitized user defined values, regardless of wether or not the closing tag is escaped, since these are conceptually just "eval".
diff --git a/.changeset/frank-memes-knock.md b/.changeset/frank-memes-knock.md
deleted file mode 100644
index 25e56dc10d..0000000000
--- a/.changeset/frank-memes-knock.md
+++ /dev/null
@@ -1,13 +0,0 @@
----
-"marko": patch
-"@marko/runtime-tags": patch
----
-
-Fix escaping for `<html-comment>` tag.
-Previously this tag relied on normal xml escaping which looks for `<`.
-This PR updates to have a special escape for `<html-comment>` tags that replaces `>` instead.
-
-```marko
-// Previously incorrectly escaped.
-<html-comment>${">Uh oh"}</html-comment>
-```
diff --git a/package-lock.json b/package-lock.json
index b143f7e21e..99cb4767d3 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -12398,11 +12398,11 @@
     },
     "packages/runtime-class": {
       "name": "marko",
-      "version": "5.38.35",
+      "version": "5.38.36",
       "license": "MIT",
       "dependencies": {
         "@marko/compiler": "^5.39.62",
-        "@marko/runtime-tags": "^6.0.162",
+        "@marko/runtime-tags": "^6.0.164",
         "app-module-path": "^2.2.0",
         "argly": "^1.2.0",
         "browser-refresh-client": "1.1.4",
@@ -12450,7 +12450,7 @@
     },
     "packages/runtime-tags": {
       "name": "@marko/runtime-tags",
-      "version": "6.0.163",
+      "version": "6.0.164",
       "license": "MIT",
       "dependencies": {
         "@marko/compiler": "^5.39.62",
diff --git a/packages/runtime-class/CHANGELOG.md b/packages/runtime-class/CHANGELOG.md
index a3551a6224..ca7bfa7666 100644
--- a/packages/runtime-class/CHANGELOG.md
+++ b/packages/runtime-class/CHANGELOG.md
@@ -1,5 +1,31 @@
 # Change Log
 
+## 5.38.36
+
+### Patch Changes
+
+- [#3159](https://github.com/marko-js/marko/pull/3159) [`19d4b37`](https://github.com/marko-js/marko/commit/19d4b37d0806c4185eed4e0f300092621974f45e) Thanks [@DylanPiercey](https://github.com/DylanPiercey)! - Fix escaping issue for dynamic text interpolation inside `<script>`, `<style>`, `<html-script>` and `<html-style>` tags.
+
+  The issue was that the escaping logic for those tags used a CASE SENSITIVE search for the closing tag which could be bypassed like so:
+
+  ```marko
+  <script>${"</SCRIPT><img src=x onerror=alert('uh oh')>"}</script>
+  ```
+
+  Note that `script` and `style` there should _never_ render unsanitized user defined values, regardless of wether or not the closing tag is escaped, since these are conceptually just "eval".
+
+- [#3159](https://github.com/marko-js/marko/pull/3159) [`19d4b37`](https://github.com/marko-js/marko/commit/19d4b37d0806c4185eed4e0f300092621974f45e) Thanks [@DylanPiercey](https://github.com/DylanPiercey)! - Fix escaping for `<html-comment>` tag.
+  Previously this tag relied on normal xml escaping which looks for `<`.
+  This PR updates to have a special escape for `<html-comment>` tags that replaces `>` instead.
+
+  ```marko
+  // Previously incorrectly escaped.
+  <html-comment>${">Uh oh"}</html-comment>
+  ```
+
+- Updated dependencies [[`19d4b37`](https://github.com/marko-js/marko/commit/19d4b37d0806c4185eed4e0f300092621974f45e), [`19d4b37`](https://github.com/marko-js/marko/commit/19d4b37d0806c4185eed4e0f300092621974f45e)]:
+  - @marko/runtime-tags@6.0.164
+
 ## 5.38.35
 
 ### Patch Changes
diff --git a/packages/runtime-class/package.json b/packages/runtime-class/package.json
index 580f323aa9..b5dd75581d 100644
--- a/packages/runtime-class/package.json
+++ b/packages/runtime-class/package.json
@@ -1,6 +1,6 @@
 {
   "name": "marko",
-  "version": "5.38.35",
+  "version": "5.38.36",
   "description": "UI Components + streaming, async, high performance, HTML templating for Node.js and the browser.",
   "keywords": [
     "front-end",
@@ -70,7 +70,7 @@
   },
   "dependencies": {
     "@marko/compiler": "^5.39.62",
-    "@marko/runtime-tags": "^6.0.162",
+    "@marko/runtime-tags": "^6.0.164",
     "app-module-path": "^2.2.0",
     "argly": "^1.2.0",
     "browser-refresh-client": "1.1.4",
diff --git a/packages/runtime-tags/CHANGELOG.md b/packages/runtime-tags/CHANGELOG.md
index a53b63dd49..36f7b3f729 100644
--- a/packages/runtime-tags/CHANGELOG.md
+++ b/packages/runtime-tags/CHANGELOG.md
@@ -1,5 +1,28 @@
 # @marko/runtime-tags
 
+## 6.0.164
+
+### Patch Changes
+
+- [#3159](https://github.com/marko-js/marko/pull/3159) [`19d4b37`](https://github.com/marko-js/marko/commit/19d4b37d0806c4185eed4e0f300092621974f45e) Thanks [@DylanPiercey](https://github.com/DylanPiercey)! - Fix escaping issue for dynamic text interpolation inside `<script>`, `<style>`, `<html-script>` and `<html-style>` tags.
+
+  The issue was that the escaping logic for those tags used a CASE SENSITIVE search for the closing tag which could be bypassed like so:
+
+  ```marko
+  <script>${"</SCRIPT><img src=x onerror=alert('uh oh')>"}</script>
+  ```
+
+  Note that `script` and `style` there should _never_ render unsanitized user defined values, regardless of wether or not the closing tag is escaped, since these are conceptually just "eval".
+
+- [#3159](https://github.com/marko-js/marko/pull/3159) [`19d4b37`](https://github.com/marko-js/marko/commit/19d4b37d0806c4185eed4e0f300092621974f45e) Thanks [@DylanPiercey](https://github.com/DylanPiercey)! - Fix escaping for `<html-comment>` tag.
+  Previously this tag relied on normal xml escaping which looks for `<`.
+  This PR updates to have a special escape for `<html-comment>` tags that replaces `>` instead.
+
+  ```marko
+  // Previously incorrectly escaped.
+  <html-comment>${">Uh oh"}</html-comment>
+  ```
+
 ## 6.0.163
 
 ### Patch Changes
diff --git a/packages/runtime-tags/package.json b/packages/runtime-tags/package.json
index 1dff293899..d72b3c54d5 100644
--- a/packages/runtime-tags/package.json
+++ b/packages/runtime-tags/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@marko/runtime-tags",
-  "version": "6.0.163",
+  "version": "6.0.164",
   "description": "Optimized runtime for Marko templates.",
   "keywords": [
     "api",