Using the username as a base for the password is generally considered a bad practice. The weak password report could check if the password contains the username or a variation of it (mixed case, common substitutions like e->3 a->@, …)
As well as the opposite of username/email (“narmak” in my case), current year, user’s birth year, etc.
This library seems abandoned since few years now.
Maybe using a fork up-to-date with new features is a possibility ?