fetch.py has:

            message = (cmdutil.logmessage(opts) or
                       (_('Automated merge with %s') % other.url()))

If you are using HTTPS authentication and have put your username and password in
the URL in .hg/hgrc for convenience, hg fetch when doing a merge will produce a
commit with a message such as

  Automated merge with https://jhacker:supersecret@hg.nowhere.net/repo/

If you are not paying close attention and then push to the remote repository,
your password will then become a matter of permanent public record!

Probably should be using util.hidepassword here at least. Better would perhaps
be to remove the username as well, since it is not really relevant in this
context, and just use e.g.

  Automated merge with https://hg.nowhere.net/repo/