feat(celeborn-0.5): update advisory for GHSA-h46c-h94j-95f3 (#20776)

Signed-off-by: Francesco Bartolini <[email protected]>

Author: efbar

celeborn-0.5.advisories.yaml

@@ -153,6 +153,10 @@ advisories:
             componentType: java-archive
             componentLocation: /usr/share/java/celeborn/jars/hadoop-client-runtime-3.4.1.jar
             scanner: grype
+      - timestamp: 2025-07-01T16:30:33Z
+        type: pending-upstream-fix
+        data:
+          note: The vuln comes from the Hadoop dependency. Jackson-core is pinned at 2.12.7 in Hadoop 3.4.1. Once Hadoop updates it and also upstream update Hadoop to the fixed version, we can update and fix the package too.
 
   - id: CGA-xvv2-g55w-6g8w
     aliases: