By default exposing devpi-server to the internet is not safe!
Look into Restricting who can create users to prevent everyone from being able to create their own user account on your server.
For replication devpi-server exposes the
route. If replication isn’t used this should be blocked. Otherwise your whole
server can be replicated from the outside, including the password hashes of
all users. This includes deleted users until an
export/import cycle has been made.