The RFC 1214 situation seems fine, only a few crates have failed to upgrade. Leaving inactive crates behind is inherent in the decision to apply breaking changes. The oauth2 crate with the most impact is likely to be fixed ASAP, right?
Edit: It was fixed in december.
The log issue mentionned (having multiple versions of the log crate, only one version allows logging and all software linked to the other does not log any longer) is quite painful. Is it an issue of symbol collision?