Basically, the only risk is injection of unsanitized HTML from user input (displayed to other users).
DayPilot includes built-in XSS protection. It automatically encodes all input values that are supposed to be text (i.e. all properties with text in name, e.g. DayPilot.Event.data.text). But it also supports direct HTML access (especially for customization).
If you don’t want to rely on the built-in escaping, you can use html properties and encode the values yourself.
A static analysis tool will find cases where content is set using innerHTML. But that doesn’t say much by itself. It will have a hard time detecting a real security issue (where text is used for innerHTML without escaping), but a good tool might be able to find it. However, I would expect such a tool to report an exact location and mechanism and describe it correctly (not using CWE-77).
Your screenshot doesn’t say much about the actual place it doesn’t like so it’s hard to comment it.