It's pretty easy to enable things like pip-cache (for pypi) so your machines don't have to hit the package servers for each and every install. We should all be doing this. Maybe the tools could be modified to have caching on by defailt?

If the costs were all bandwidth related I would agree. Most open source package managers benefit from Fastly's generous donation of credits. Even if one ignores the single-provider-point-of-failure risk, the reality is that the development and operational costs of running package managers is much more than just networking bandwidth and more is needed.

Malware scanning, AI slopsquatting, and typosquatting are just a few of the things that package managers do today. Implementing emerging standards like Trusted Publishing ( https://repos.openssf.org/trusted-publishers-for-all-package... ), the Principles for Package Repository Security ( https://repos.openssf.org/principles-for-package-repository-... ), and improved infrastructure hardening will all important.

The key insight is that these are services that require development and operations budgets that scale with their usage.