Can you create a PoC for this? Without reproduction it's like saying "your library is broken" without saying anything else.
Please show example, how this lead to XSS, if it's true is more problematic than you think.
I've already found some XSS long ago and reported it to NPM, because the developer (User) of the library could unintentionally create reflected XSS if he was not careful. That's why I've disabled some options by default.
I think that I've forget in one place to escape " with " it's happen only when formatting is enabled (the XSS is not present if so). But outside of formatting the code is not escaped. Probably the code for data-text attribute was added later so data-text attribute is always present, but escaping was not added to this new code.
And just FYI: to prevent the XSS you can use this code: