[hotfix] [build] Exclude commons-beanutils from Hadoop dependency to remediate CVE-2025-48734

[guptas6est]

What is the purpose of the change

This change removes the transitive dependency on commons-beanutils pulled in through the Hadoop hadoop-common dependency used in flink-s3-fs-base.
The version included transitively (1.9.4) contains a known high-severity vulnerability (CVE-2025-48734). The safest and cleanest solution is to explicitly exclude it.

Brief change log

• Added an <exclusion> for
  commons-beanutils:commons-beanutils
  in flink-filesystems/flink-s3-fs-base/pom.xml to prevent the vulnerable version (1.9.4) from being included.

Verifying this change

Please make sure both new and modified tests in this PR follow the conventions for tests defined in our code quality guide.

(Please pick either of the following options)

This change is a trivial rework / code cleanup without any test coverage.

(or)

This change is already covered by existing tests, such as (please describe tests).

(or)

This change added tests and can be verified as follows:

(example:)

• Added integration tests for end-to-end deployment with large payloads (100MB)
• Extended integration test for recovery after master (JobManager) failure
• Added test that validates that TaskInfo is transferred only once across recoveries
• Manually verified the change by running a 4 node cluster with 2 JobManagers and 4 TaskManagers, a stateful streaming program, and killing one JobManager and two TaskManagers during the execution, verifying that recovery happens correctly.

Does this pull request potentially affect one of the following parts:

• Dependencies (does it add or upgrade a dependency): Yes
• The public API, i.e., is any changed class annotated with @Public(Evolving): (yes / no)
• The serializers: (yes / no / don't know)
• The runtime per-record code paths (performance sensitive): (yes / no / don't know)
• Anything that affects deployment or recovery: JobManager (and its components), Checkpointing, Kubernetes/Yarn, ZooKeeper: (yes / no / don't know)
• The S3 file system connector: (yes / no / don't know)

Documentation

• Does this pull request introduce a new feature? No
• If yes, how is the feature documented? (not applicable / docs / JavaDocs / not documented)

[flinkbot]

CI report:

• 38e4a7a Azure: FAILURE

Bot commands

The @flinkbot bot supports the following commands:

• @flinkbot run azure re-run the last Azure build

[rionmonster]

Is this something that can just be safely excluded? I see multiple references throughout the codebase that reference the commons-beanutils package. Would upgrading it to a more recent patched version of the library, such as 1.11.0 be preferred to this exclusion?

The only case that I see that not being valid would be explicitly for flink-yarn which seems to require an earlier version:

<!-- Beanutils 1.9.+ doesn't work with Hadoop 2 -->
<version>1.8.3</version>

Just a thought.