Commit archive over SSH is now a messy affair. As T1866 shows, it cannot handle non-standard ports. However, it also cannot handle non-RSA keys. With elliptic curves rapidly becoming the default, it's even worse.
Disabling fingerprint checking by default sounds sensible: how often do you see spoofing attacks in the wild? There are lots of safeguards against those in place, in every network.
The really messy part is that the script emulates a user, by interacting with ssh. See https://github.com/vyos/vyatta-config-mgmt/blob/current/scripts/vyatta-commit-push.pl#L104
It may be better to provide an explicit fingerprint option for those who are concerned about spoofing attacks.