The fundamental issue is not that emoji XSS (that’s just a vector), but how JWTs are implemented and [not] secured. I’ve read that it was reported at least this January (akkoma.nrd.li/notice/AXXhAVF7N5ZH1V972W).
So, developers were already aware, yet - as I’m checking 0.18.1 - they have not fixed the unsafe-inline and unsafe-eval CSP, haven’t made jwt cookie HttpOnly, and haven’t done anything about exp and jti in the JWTs. I hope the recent events will make them do to so, and not just patch this particular XSS.