The way the library works via v-html allows someone to inject arbitrary html if they can control the input string to linkify. An example is here

The linkify notes on this are available here:

I'm not sure any code changes are necessary, but a disclaimer that only trusted strings should be passed in the Readme might be appropriate. Vue obviously makes this disclaimer in their documentation, but I think it is worth reiterating it in this project just because it is likely that users of this library would want to use it with untrusted strings of text.