It's hard to say that it's "overbroad" without knowing the details of the situation.
It's not hard at all, on the other hand, to imagine situations where this would be a reasonable request. Probably the most obvious would be if the packages contained material which was illegal to possess or distribute (like CSAM). Another would be if the packages were being used as part of a malware C&C operation -- knowing what IP addresses downloaded the packages would aid in determining the scope of the campaign.
We get "please provide the logged IP addresses of user X" subpoenas on a weekly if not daily basis. Which law school did you go to so I can tell our corp counsel they've been doing it wrong and stop asking?
You should re-read the quote. This was not a request for the IP addresses of the users in question, but for the everyone that downloaded any packages uploaded by those users.
You're right. Sorry that I implied that was the only thing they asked for. But the point still stands that it's very common to be compelled to provide the equivalent of "tell me everything you know about this IP address", and our legal has said we (usually) legally have to provide it.
Note that GP complains not about the request for IP addresses of user X, but the request for IP addresses of anyone who downloaded content uploaded by user X.
This is way overbroad. The fact that a judge granted this is very bad.