diff --git a/apps/svelte.dev/package.json b/apps/svelte.dev/package.json
index 692ce2005d..b4e74b2999 100644
--- a/apps/svelte.dev/package.json
+++ b/apps/svelte.dev/package.json
@@ -48,7 +48,6 @@
 		"cookie": "^0.6.0",
 		"d3-geo": "^3.1.0",
 		"d3-geo-projection": "^4.0.0",
-		"devalue": "^5.0.0",
 		"do-not-zip": "^1.0.0",
 		"flexsearch": "^0.7.43",
 		"flru": "^1.0.2",
diff --git a/apps/svelte.dev/src/routes/(authed)/+layout.svelte b/apps/svelte.dev/src/routes/(authed)/+layout.svelte
index 6379d6925c..7b91ed29fb 100644
--- a/apps/svelte.dev/src/routes/(authed)/+layout.svelte
+++ b/apps/svelte.dev/src/routes/(authed)/+layout.svelte
@@ -1,20 +1,19 @@
 <script lang="ts">
 	import { invalidateAll } from '$app/navigation';
+	import { storage_key } from '../auth/_config';
 	import { set_app_context } from './app-context';
 
 	set_app_context({
-		login: () => {
-			const login_window = window.open(
-				`${window.location.origin}/auth/login`,
-				'login',
-				'width=600,height=400'
-			);
+		login: async () => {
+			window.open(`${window.location.origin}/auth/login`, 'login', 'width=600,height=400');
 
-			window.addEventListener('message', function handler(event) {
-				if (event.data.source !== 'svelte-auth') return;
-				login_window!.close();
-				window.removeEventListener('message', handler);
-				invalidateAll();
+			// we can't interact directly with opener, so we use localStorage as a side channel
+			window.addEventListener('storage', function handler(event) {
+				if (event.key === storage_key) {
+					invalidateAll();
+					window.removeEventListener('storage', handler);
+					this.localStorage.clearItem(storage_key);
+				}
 			});
 		},
 
diff --git a/apps/svelte.dev/src/routes/auth/_config.js b/apps/svelte.dev/src/routes/auth/_config.js
index e86df437d2..068ea306d5 100644
--- a/apps/svelte.dev/src/routes/auth/_config.js
+++ b/apps/svelte.dev/src/routes/auth/_config.js
@@ -1,6 +1,2 @@
-import { GITHUB_CLIENT_ID, GITHUB_CLIENT_SECRET } from '$env/static/private';
-
 export const oauth = 'https://github.com/login/oauth';
-
-export const client_id = GITHUB_CLIENT_ID;
-export const client_secret = GITHUB_CLIENT_SECRET;
+export const storage_key = 'login';
diff --git a/apps/svelte.dev/src/routes/auth/callback/+server.ts b/apps/svelte.dev/src/routes/auth/callback/+server.ts
index 58b7557785..a3febb4c94 100644
--- a/apps/svelte.dev/src/routes/auth/callback/+server.ts
+++ b/apps/svelte.dev/src/routes/auth/callback/+server.ts
@@ -1,14 +1,14 @@
-import { uneval } from 'devalue';
 import * as cookie from 'cookie';
 import * as session from '$lib/db/session';
-import { oauth, client_id, client_secret } from '../_config.js';
+import { oauth, storage_key } from '../_config.js';
+import { GITHUB_CLIENT_ID, GITHUB_CLIENT_SECRET } from '$env/static/private';
 
 export async function GET({ url }) {
 	// Trade "code" for "access_token"
 	const code = url.searchParams.get('code') || undefined;
 	const params = new URLSearchParams({
-		client_id,
-		client_secret
+		client_id: GITHUB_CLIENT_ID,
+		client_secret: GITHUB_CLIENT_SECRET
 	});
 	if (code) params.set('code', code);
 	const r1 = await fetch(`${oauth}/access_token?` + params.toString());
@@ -34,15 +34,9 @@ export async function GET({ url }) {
 	};
 	const { sessionid, expires } = await session.create(user);
 
+	// we can't interact directly with opener, so we use localStorage as a side channel
 	return new Response(
-		`
-		<script>
-			window.opener.postMessage({
-				source: 'svelte-auth',
-				user: ${uneval(user)}
-			}, window.location.origin);
-		</script>
-	`,
+		`<script>localStorage.setItem('${storage_key}', Date.now()); window.close()</script>`,
 		{
 			headers: {
 				'Set-Cookie': cookie.serialize('sid', sessionid, {
diff --git a/apps/svelte.dev/src/routes/auth/login/+server.js b/apps/svelte.dev/src/routes/auth/login/+server.js
index f2f00d6854..bef18c7dfe 100644
--- a/apps/svelte.dev/src/routes/auth/login/+server.js
+++ b/apps/svelte.dev/src/routes/auth/login/+server.js
@@ -1,33 +1,33 @@
 import { redirect } from '@sveltejs/kit';
-import { client_id, oauth } from '../_config.js';
+import { oauth } from '../_config.js';
+import { GITHUB_CLIENT_ID } from '$env/static/private';
 
-export const GET = client_id
-	? /** @param {{url: URL}} opts */ ({ url }) => {
-			const Location =
-				`${oauth}/authorize?` +
-				new URLSearchParams({
-					scope: 'read:user',
-					client_id,
-					redirect_uri: `${url.origin}/auth/callback`
-				}).toString();
-
-			redirect(302, Location);
-		}
-	: () =>
-			new Response(
-				`
-			<body style="font-family: sans-serif; background: rgb(255,215,215); border: 2px solid red; margin: 0; padding: 1em;">
-				<h1>Missing .env file</h1>
-				<p>In order to use GitHub authentication, you will need to <a target="_blank" href="https://github.com/settings/developers">register an OAuth application</a> and create a local .env file:</p>
-				<pre>GITHUB_CLIENT_ID=[YOUR_APP_ID]\nGITHUB_CLIENT_SECRET=[YOUR_APP_SECRET]\nBASEURL=http://localhost:5173</pre>
-				<p>The <code>BASEURL</code> variable should match the callback URL specified for your app.</p>
-				<p>See also <a target="_blank" href="https://github.com/sveltejs/svelte/tree/svelte-4/sites/svelte.dev#repl-github-integration">here</a></p>
-			</body>
-		`,
-				{
-					status: 500,
-					headers: {
-						'Content-Type': 'text/html; charset=utf-8'
-					}
+export function GET({ url }) {
+	if (!GITHUB_CLIENT_ID) {
+		return new Response(
+			`
+		<body style="font-family: sans-serif; background: rgb(255,215,215); border: 2px solid red; margin: 0; padding: 1em;">
+			<h1>Missing .env file</h1>
+			<p>In order to use GitHub authentication, you will need to <a target="_blank" href="https://github.com/settings/developers">register an OAuth application</a> and create a local .env file:</p>
+			<pre>GITHUB_CLIENT_ID=[YOUR_APP_ID]\nGITHUB_CLIENT_SECRET=[YOUR_APP_SECRET]\nBASEURL=http://localhost:5173</pre>
+			<p>The <code>BASEURL</code> variable should match the callback URL specified for your app.</p>
+			<p>See also <a target="_blank" href="https://github.com/sveltejs/svelte/tree/svelte-4/sites/svelte.dev#repl-github-integration">here</a></p>
+		</body>
+	`,
+			{
+				status: 500,
+				headers: {
+					'Content-Type': 'text/html; charset=utf-8'
 				}
-			);
+			}
+		);
+	}
+
+	const params = new URLSearchParams({
+		scope: 'read:user',
+		client_id: GITHUB_CLIENT_ID,
+		redirect_uri: `${url.origin}/auth/callback`
+	});
+
+	redirect(302, `${oauth}/authorize?${params}`);
+}
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index ced5b0e6d5..bb20346f5f 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -110,9 +110,6 @@ importers:
       d3-geo-projection:
         specifier: ^4.0.0
         version: 4.0.0
-      devalue:
-        specifier: ^5.0.0
-        version: 5.0.0
       do-not-zip:
         specifier: ^1.0.0
         version: 1.0.0