import { AnalyzedPackageWithVersion, OSRelease } from "../analyzer/types";
import { DepTree } from "../types";
/** @deprecated Should implement a new function to build a dependency graph instead. */
export declare function buildTree(targetImage: string, packageFormat: string, depInfosList: AnalyzedPackageWithVersion[], targetOS: OSRelease): DepTree;
/**
 * Canonical "full name" for a package as it appears in the dep graph and
 * therefore in any vulnerability `from[]` / `packageName` field a downstream
 * consumer (e.g. backend, UI) sees.
 *
 * For OS packages with a distinct source/origin (Debian `Source:`, Alpine
 * `o:`, RPM source RPM) the name is `<source>/<binary>` - e.g. the libc
 * vuln pinned against Debian's `glibc` source surfaces on the binary
 * `libc-bin` as `glibc/libc-bin`. For packages without a `Source` (and for
 * non-OS ecosystems) it's just `<name>`.
 *
 * Exported so the layer-attribution producer can mint keys with the same
 * shape — see `lib/analyzer/layer-attribution.ts`. Keep this as the single
 * source of truth for that string format; if it drifts, the response
 * builder's per-package `dockerLayerDiffId` annotation join (which keys
 * by `${depFullName}@${version}`) will silently miss for any package
 * with a non-trivial `Source` (i.e. most OS vulns).
 */
export declare function depFullName(depInfo: AnalyzedPackageWithVersion): string;
