Nil pointer dereference in normaliseHost when npm dry-run makes HTTPS requests

[ArtemkaKun]

The proxy panics with a nil pointer dereference in the normaliseHost function when processing npm install commands with --dry-run=true. This appears to happen when handling HTTPS CONNECT requests where the request URL or Host field may not be fully populated.

Stack Trace:

panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x28 pc=0x99681b]

goroutine 86 [running]:
main.normaliseHost(0x103d45bc2a00, 0x484205?)
	/go/src/github.com/dependabot/proxy/proxy.go:157 +0x1b
...
github.com/elazarl/goproxy.(*ProxyHttpServer).handleHttps.func2()
	/go/src/github.com/dependabot/proxy/vendor/github.com/elazarl/goproxy/https.go:243 +0x6a5

Reproduction Steps:

1. Run Dependabot update job for an npm package
2. The updater executes: corepack npm install <package>@<<version> --package-lock-only --dry-run=true --ignore-scripts
3. Proxy crashes with nil pointer dereference in normaliseHost

Expected Behavior:
The proxy should handle all request types gracefully, including those from npm dry-run operations, without panicking.

Actual Behavior:
The proxy process crashes, causing the updater job to fail with exit code 1.

Environment:

• Package: tailwindcss-logical (3.0.1 → 4.2.0)
• Command: corepack npm install tailwindcss-logical@4.2.0 --package-lock-only --dry-run=true --ignore-scripts

[ArtemkaKun]

Full log from the dependabot job:

updater | 2026/06/01 10:07:18 INFO <job_1392402476> Checking if tailwindcss-logical 3.0.1 needs updating
  proxy | 2026/06/01 10:07:18 [020] GET https://registry.npmjs.org:443/tailwindcss-logical
  proxy | 2026/06/01 10:07:18 [020] 200 https://registry.npmjs.org:443/tailwindcss-logical
  proxy | 2026/06/01 10:07:18 [022] HEAD https://registry.npmjs.org:443/tailwindcss-logical/-/tailwindcss-logical-4.2.0.tgz
  proxy | 2026/06/01 10:07:18 [022] 200 https://registry.npmjs.org:443/tailwindcss-logical/-/tailwindcss-logical-4.2.0.tgz
updater | 2026/06/01 10:07:18 INFO <job_1392402476> Latest version is 4.2.0
updater | 2026/06/01 10:07:20 INFO <job_1392402476> Started process PID: 1449 with command: {} git reset HEAD --hard {}
updater | 2026/06/01 10:07:21 INFO <job_1392402476> Process PID: 1449 completed with status: pid 1449 exit 0
updater | 2026/06/01 10:07:21 INFO <job_1392402476> Total execution time: 0.96 seconds
updater | 2026/06/01 10:07:21 INFO <job_1392402476> Started process PID: 1455 with command: {} git clean -fx {}
updater | 2026/06/01 10:07:21 INFO <job_1392402476> Process PID: 1455 completed with status: pid 1455 exit 0
updater | 2026/06/01 10:07:21 INFO <job_1392402476> Total execution time: 0.13 seconds
updater | 2026/06/01 10:07:21 INFO <job_1392402476> Started process PID: 1536 with command: {} corepack npm install tailwindcss-logical@4.2.0 --package-lock-only --dry-run\=true --ignore-scripts {}
  proxy | panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x28 pc=0x99681b]
goroutine 86 [running]:
main.normaliseHost(0x103d45bc2a00, 0x484205?)
	/go/src/github.com/dependabot/proxy/proxy.go:157 +0x1b
github.com/elazarl/goproxy.FuncReqHandler.Handle(0x1b?, 0x2c?, 0x103d45829c80?)
	/go/src/github.com/dependabot/proxy/vendor/github.com/elazarl/goproxy/actions.go:19 +0x1c
main.newProxy.(*ReqProxyConds).DoFunc.(*ReqProxyConds).Do.func6(0x103d45bc2a00, 0x103d45e8afc0)
	/go/src/github.com/dependabot/proxy/vendor/github.com/elazarl/goproxy/dispatcher.go:216 +0xb2
github.com/elazarl/goproxy.FuncReqHandler.Handle(0x4f?, 0x0?, 0x103d45d38687?)
	/go/src/github.com/dependabot/proxy/vendor/github.com/elazarl/goproxy/actions.go:19 +0x1c
github.com/elazarl/goproxy.(*ProxyHttpServer).filterRequest(0x103d45ce6140?, 0x103d45bc2a00, 0x103d45e8afc0)
	/go/src/github.com/dependabot/proxy/vendor/github.com/elazarl/goproxy/proxy.go:64 +0x7b
github.com/elazarl/goproxy.(*ProxyHttpServer).handleHttps.func2()
	/go/src/github.com/dependabot/proxy/vendor/github.com/elazarl/goproxy/https.go:243 +0x6a5
created by github.com/elazarl/goproxy.(*ProxyHttpServer).handleHttps in goroutine 84
	/go/src/github.com/dependabot/proxy/vendor/github.com/elazarl/goproxy/https.go:213 +0x5a7
updater | 2026/06/01 10:09:16 INFO <job_1392402476> Process PID: 1536 completed with status: pid 1536 exit 1