I think there you hit the nail on the head! Just the fact that it is in there, whether intentionally or not is something that warrants warning people about. So that in the case someone goes to set up a server, they at least know that recently there was this rather severe risk of unnecessary credential exposure, again no matter if it was intentional or not.

However, I will say that I think I would have also opened the PR, not to help the original dev necessarily, but helping those that might come to use the software later.