I thought to have seen some negative comments about its security, anyone knowing more about it?

They installed a root certificate on windows computers that could have been used to MITM all traffic.

I personally had issues with the project years before that when I tried to install their Linux .deb and they ran `pip install` as root in the pre install script inside the .deb. That caused so much havoc to clean up I was pissed at them for years. Now that idiocy is blocked by default in current versions of pip.

Yeah it just seemed like a slightly suss project to me. I did use it initially but uninstalled it after the Chinese root certificate incident.

I wonder if anyone has forked it...

I haven't heard anything negative about it, and I can only find one CVE:

https://www.cvedetails.com/cve/CVE-2024-25140/

Personally, I'm not exposing my installations to the Internet, so I feel relatively secure regardless.