I am confused. Is this saying that library authors are accepting pull request with malicious code, or that if you compromise a site, a good place to stick your malicious code is into a jQuery plugin library?