Open source package repositories are drowning. They handle 10 trillion downloads a year - twice Google's search volume - while running on volunteer labor and shoestring budgets. Now maintainers are done asking nicely: they're implementing tiered payment systems, and if you're a major cloud provider treating free repositories like your personal CDN, your free ride is ending.

Here's the problem in numbers: 82% of repository demand comes from less than 1% of IP addresses. According to Brian Fox, CTO of Sonatype, the worst offender was a department store whose 60 developers generated more traffic than global cable modem users worldwide. The reason? Misconfigured build systems pulling packages on every single compilation.

This isn't theoretical waste. This is infrastructure collapsing under commercial-scale use that nobody's paying for.

The solution being rolled out: mandatory tiered pricing. Individual developers and small teams stay free. High-volume commercial users - which mostly means major cloud providers and large corporations - will pay. Not optional donations. Not guilt-trip sponsorship buttons. Mandatory, metered pricing for heavy use.

I've seen this movie before. I've worked in open source. I've maintained libraries. And I've watched companies with billion-dollar valuations treat volunteer-maintained infrastructure as free forever because, well, it has been free.

The fundamental issue isn't that companies are cheap - though some are. It's that they've never had to think about the cost. When you <code>npm install</code> or <code>pip install</code>, packages just appear. The registry is always up. The bandwidth is always there. The maintainers keep patching security issues. All of it happens invisibly, funded by... nobody knows, honestly.

What changed? AI code generation and aggressive CI/CD pipelines pushed repository traffic into the stratosphere. Every time an AI coding assistant suggests a dependency, every time a security scanner checks a package, every time a build pipeline runs - that's a pull from the repository. Multiply that by thousands of developers at thousands of companies running hundreds of builds per day.

The numbers Fox cited are staggering. Major cloud providers account for 80% of traffic. That's Amazon, Google Cloud, Microsoft Azure, and others pulling packages millions of times per day to provision customer environments. And they've been doing it for free.

The registry maintainers' proposed solution is elegant: if you're pulling at scale, you pay at scale. They're starting implementation next quarter. And according to Fox, when organizations were informed about their usage patterns, most were "surprised and apologetic." They didn't even realize how much they were pulling.

This is important for two reasons. First, it might actually work. Unlike guilt-tripping users into GitHub Sponsors, mandatory metered pricing means the organizations that benefit most pay proportionally. Second, it could be a model for other open source infrastructure that's currently held together with volunteer time and prayer.

Will there be pushback? Absolutely. Companies will complain that open source was supposed to be free forever. Some will threaten to self-host. Others will argue this kills the open source ethos.

But here's the thing: open source was never meant to subsidize trillion-dollar cloud providers. It was meant to give developers freedom to use, modify, and share software. Commercial users paying for the infrastructure that serves them doesn't violate that ethos. It sustains it.

The alternative is burnout, infrastructure collapse, and security vulnerabilities that don't get patched because the people maintaining critical infrastructure are doing it nights and weekends while working day jobs.

If your company pulls packages 10 million times per month, maybe it's time to start paying for the service. The technology is impressive. The question is whether the people profiting from it should contribute to keeping it running.