cluster-api-helm-controller: add pending-upstream-fix advisories for GHSA-5xqw-8hwv-wg92 and GHSA-4hfp-h4cw-hj8p (#21337)

* python-3.10, python-3.11, python-3.12: add pending-upstream-fix advisories for CVE-2025-8194

* python-3.13: add pending-upstream-fix advisory for CVE-2025-8194

Notes that fix has been cherry-picked but remains pending until official upstream release.

* cluster-api-helm-controller: add pending-upstream-fix advisories for GHSA-5xqw-8hwv-wg92 and GHSA-4hfp-h4cw-hj8p

Author: jamie-albert

cluster-api-helm-controller.advisories.yaml

@@ -88,6 +88,10 @@ advisories:
             componentType: go-module
             componentLocation: /usr/bin/cluster-api-helm-controller
             scanner: grype
+      - timestamp: 2025-08-02T00:37:37Z
+        type: pending-upstream-fix
+        data:
+          note: "Upstream needs to make code changes in order to upgrade helm.sh/helm/v3 to 3.18.4. Pending PR is inflight awaiting upstream approval: https://github.com/kubernetes-sigs/cluster-api-addon-provider-helm/pull/420"
 
   - id: CGA-m548-vg3p-3399
     aliases:
@@ -128,3 +132,7 @@ advisories:
             componentType: go-module
             componentLocation: /usr/bin/cluster-api-helm-controller
             scanner: grype
+      - timestamp: 2025-08-02T00:37:37Z
+        type: pending-upstream-fix
+        data:
+          note: "Upstream needs to make code changes in order to upgrade helm.sh/helm/v3 to 3.18.4. Pending PR is inflight awaiting upstream approval: https://github.com/kubernetes-sigs/cluster-api-addon-provider-helm/pull/420"