LoginSign Up
← Back to all sparks
D

DatoCMS

INFRA · APIS
Velocity2.5

Headless CMS spends April hardening the developer surface and adding antivirus to the media pipeline.

headless-cmsmedia-managementsecuritycli-dxpluginsvisual-editing
Current state
DatoCMS is a headless CMS. April brought a security upgrade (automatic antivirus scanning across every Media Area upload, with CDN purge on detection), three coordinated CLI/DX improvements (unscoped npm package, OAuth-based project linking, plugin scaffolds in Astro and Next.js starters), and a Developer Plan API limit bump. Earlier in the window: in-CMS video editing alongside the existing image editor, permissions for Asset Collections, and pre-filtered linked record menus.
Where it's heading
Two parallel threads — cleaner developer onboarding (OAuth CLI replacing copy-paste tokens, plugin scaffolds shipped with starters, npx that just works) and treating the Media Area as a more hardened surface (in-CMS editing, asset permissions, antivirus). The CLI work reads as DatoCMS investing in becoming the type of CMS a developer can integrate without three copy-paste rituals.
Prediction
Expect the OAuth CLI to become the only documented path within a few releases, more antivirus-style trust features (likely SOC-2 attested workflows or content-policy scanning), and starter-kit ecosystem investment that widens framework support beyond Astro and Next.js.

Recent moves

  1. 2mo ago

    CLI: `npx datocms` now Just Works

    DatoCMS CLI is now published as the unscoped npm name 'datocms', so 'npx datocms' finally works in every install context (the npm/npx binary-name quirk previously bit users on the scoped @datocms/cli package). The scoped package remains as a thin alias for backward compatibility.

    View source ↗
  2. 2mo ago

    CMA limit raised for Developer Plan

    Developer Plan CMA limit raised from 10K to 25K monthly API calls. Lowers the friction for prototypes and small projects on the free tier.

    View source ↗
  3. 2mo ago

    CLI: Easier (and safer) project linking with OAuth

    OAuth login replaces token copy-paste for CLI auth: 'datocms login' opens the browser, 'datocms link' interactively connects a directory to a project, and every API call ties to the user's identity for clean audit trails. Existing token-based scripts and CI pipelines continue to work. A real DX and security upgrade for teams.

    View source ↗
  4. 2mo ago

    Starter kits now ship with a plugin scaffold

    Astro and Next.js starters now ship with a private DatoCMS plugin scaffold wired into the same repo, so teams can build custom editor extensions without spinning up a separate plugin project. Astro starter also bumped to Astro 6 and CLI v4.

    View source ↗
  5. 2mo ago

    Automatic antivirus scanning for all Media Area uploads

    ⚡ SPARK

    Every file uploaded to the Media Area is now scanned automatically; infected files are quarantined, purged from CDN, and surfaced with badges in the dashboard and a meta.antivirus field on the CMA. A real platform-level trust feature that becomes especially material for B2C content workflows where end users upload assets.

    View source ↗
  6. 3mo ago

    Configurable `hue` property on Visual Editing

    Visual Editing overlay color is now configurable via a hue property (0-359), so the highlight stands out on sites whose brand palette clashes with the previous default orange. Single-property config tweak.

    View source ↗