tokio

Malicious crates have been discovered on crates.io, with concerns about disposable accounts and attack vectors. Developers worry that blind dependency upgrades and sprawling dependency trees (especially with tokio) pose significant security risks that could be exploited by state actors.

Developers struggle with async ecosystem fragmentation, needing to juggle multiple runtimes (tokio, async-std, etc.) with runtime-specific quirks and incompatibilities. There is no unified async runtime, creating compatibility headaches across projects.