There's no way for me to verify that what you're running is the same as what you have in GitHub. And for anyone else running it. You should disable this feature.
Why should he? It‘s your choice to use it or not. If you feel uncomfortable, go and selfhost it. Or don‘t use it at all. But there is no reasoning to prohibit it for everyone.
Altruistically, it trains users that it is ok, which it isn't.
Selfishly, the author really does not want to be storing or even handling these kinds of credentials. It makes them a very juicy target for all kinds of bad actors. Imagine finding yourself in the middle of some kind of account hijacking nightmare that you have unwittingly enabled, having to deal with people who trusted you and have lost access to their account or have lost money because people accessed data in their account that allows for id theft.
Basically people should treat passwords (even other people's passwords) as radioactive material and not attempt to handle them unless they really know what they're doing.
The privacy policy of not storing passwords is nice but what about when they get hacked and the site starts uploading passwords to some attacker's website?