About vulnerability in the dependency
I have read many articles about the vulnerability in the program dependency, either direct or transitive.
Here are two questions come out of my mind.
If a dependency A has a vulnerability (Maybe has a CVE identifier) in one of its function called foo(), and I include this dependency A in my application. If my code doesn't call the foo() function, will my program still be vulnerable? I know it is language specific, so what will happen if this situation happens in python or javascript or Java or PHP?
Are vulnerabilities in development dependency (Example: DevDependencies listed in package.json for Javascript) actually matter? I have read some posts, some said yes, while others said no. I know that it is not a problem for end user if the deployed application doesn't include those development dependency, but are those vulnerabilities in the development dependency actually exploitable for the developer who is using those development dependencies in development phase? For language like python/javascript/java/php?
