It is quite literally a feature of this package to be insecure, by storing passwords in plain-text.

As this package is explicitly designed not to be used in production, it's safe to ignore responsible disclosure and raise security concerns as regular issues.