If the costs were all bandwidth related I would agree. Most open source package managers benefit from Fastly's generous donation of credits. Even if one ignores the single-provider-point-of-failure risk, the reality is that the development and operational costs of running package managers is much more than just networking bandwidth and more is needed.

Malware scanning, AI slopsquatting, and typosquatting are just a few of the things that package managers do today. Implementing emerging standards like Trusted Publishing ( https://repos.openssf.org/trusted-publishers-for-all-package... ), the Principles for Package Repository Security ( https://repos.openssf.org/principles-for-package-repository-... ), and improved infrastructure hardening will all important.

The key insight is that these are services that require development and operations budgets that scale with their usage.