Cargo

Developers report that incremental rebuilds after making minor source code changes take significantly longer than expected. Workspace rebuilds trigger full dependent crate recompilation (not incremental across boundaries), and the linking phase always runs from scratch without caching, creating major productivity bottlenecks.

Malicious crates have been discovered on crates.io, with concerns about disposable accounts and attack vectors. Developers worry that blind dependency upgrades and sprawling dependency trees (especially with tokio) pose significant security risks that could be exploited by state actors.

Documentation testing with doctests is cumbersome due to gaps in IDE support and poor integration with cargo check and clippy. This creates friction in the development workflow for maintaining code examples in documentation.