The vulnerability page you linked to shows that the ws module can crash if someone sends you a specially-crafted header. This could be an issue in production services as an attacker could take them down but for React Native the threat would be that an attacker – with access and knowledge to your local development server – could crash your development server and you’d have to restart it. Given this context the severity of the vulnerability seems very different than in a scenario with a publicly exposed production server.
So basically I would posit that for Expo, the bug in ws is minor and worth fixing but not a reason for panic.